Augie, On Monday, 2013-02-04 19:01:38 -0600, "Jeremy C. Reed" <jr...@isc.org> wrote: > On Mon, 4 Feb 2013, Augie Schwer wrote: > > > Does anyone have any experience using a large ( 1k ) entry ACL list? > > Was there any performance degradation? > > > > I haven't implemented my ACL yet, but it has quickly ballooned up, > > and I am hoping to get some advice from others in a similar > > situation. > > It has been a few years since I researched this. (I should re-add > this to my existing performance and resource usage tests.) > > BIND 9.5 had various ACL improvements including support for O(1) ACL > processing, based on radix tree code. As one example, with 20,000 to > 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, > while the new version has around 21,000 qps.
This specific change should mean that adding IP-based ACL will not slow down ACL performance. However, if you are using TSIG-based ACL then we can't store them in a radix tree, and these still scale linearly with the number of entries, IIRC. I suppose we can change this to a tree-based structure at some point if there is a real need for large TSIG-based ACL. It still won't be as fast as IP-based ACL, but it should be much faster than the simple list-based implementation we have now. Cheers, -- Shane _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
