Online signing is cool, but slow. Caching queries in a reverse proxy is nice, but useless for something like NSD. But what if you want to do online signing in a fast way?

Enter: proxy chaining.

I already showed FunkenSign (example code is quite old though) and yesterday FunkenShield.

What if you combine the two? That gives the best of both worlds:

  • Online signing;
  • Caching;
  • And it adheres to the true Unix philosophy: do one thing, and do one thing well.

So lets get some figures again.

Nameserver

First start the nameserver:

cd _examples/ns && make
GOMAXPROCS=10 ./ns      # listens on port 8053

Online signing proxy

Next we start our online signing proxy. This proxy only signs answers to questions for c.miek.nl., and leaves other questions alone.

We listen on port 8054 and use the nameserver we started on port 8053:

cd examples/funkensturm && make -f Makefile_sign
# save the exe
cp funkensturm funkensturm_sign
# start it
GOMAXPROCS=10 ./funkensturm_sign -rserver=127.0.0.1:8053 -sserver=127.0.0.1:8054

Reverse proxy

And lastly the reverse proxy. It listens on port 8055 and forwards queries to 8054.

make -f Makefile_rproxy
cp funkensturm funkensturm_rproxy
GOMAXPROCS=10 ./funkensturm_rproxy -rserver=127.0.0.1:8054 -sserver=127.0.0.1:8055

Numbers

So we have:

caching proxy -> signing proxy -> nameserver

And for queryperf we create a data file with three queries:

  1. a.miek.nl A
  2. a.miek.nl AAAA
  3. c.miek.nl A

Where the answer to 3 will include a generated signature.

So lets query the nameserver on port 8053:

./queryperf -d data -s 127.0.0.1 -p 8053 -l 2 
Queries per second:   7298.194728 qps

7000+ qps; a normal number. Next directly query the online signing proxy on port 8054:

./queryperf -d data -s 127.0.0.1 -p 8054 -l 2
Queries per second:   205.991306 qps

205 qps… that’s onine signing for you: S L O W.

Next we use the caching proxy which caches the answers, we query on port 8055:

./queryperf -d data -s 127.0.0.1 -p 8055 -l 2
Queries per second:   28521.826761 qps

Thats again more like it.

So we have fast online signing in a clean way.

Note: (excluding godns) the combined line count is 197 lines for ns and 450 for funkensturm.