# Chaining proxies


Online signing is cool, but slow. Caching queries in a reverse proxy is
nice, but useless for something like NSD. But what
if you want to do online signing in a fast way?

> Enter: proxy chaining.

I already showed [FunkenSign](/2011/january/24/funkensign/index.html) (example code
is quite old though)
and yesterday [FunkenShield](/2011/july/31/reverse_dns_proxy/index.html).

What if you combine the two? That gives the best of both worlds:

* Online signing;
* Caching;
* And it adheres to the true Unix philosophy: do one thing,  and do one thing well.

So lets get some figures again.

# Nameserver

First start the nameserver:

    cd _examples/ns && make
    GOMAXPROCS=10 ./ns      # listens on port 8053

# Online signing proxy

Next we start our online signing proxy. This proxy only signs answers to questions for
`c.miek.nl.`, and leaves other questions alone.

We listen on port 8054 and use the nameserver we started on port 8053:

    cd examples/funkensturm && make -f Makefile_sign
    # save the exe
    cp funkensturm funkensturm_sign
    # start it
    GOMAXPROCS=10 ./funkensturm_sign -rserver=127.0.0.1:8053 -sserver=127.0.0.1:8054

# Reverse proxy

And lastly the reverse proxy. It listens on port 8055 and forwards queries to 8054.

    make -f Makefile_rproxy
    cp funkensturm funkensturm_rproxy
    GOMAXPROCS=10 ./funkensturm_rproxy -rserver=127.0.0.1:8054 -sserver=127.0.0.1:8055


# Numbers

So we have:

    caching proxy -> signing proxy -> nameserver

And for queryperf we create a data file with three queries:

1. a.miek.nl A
2. a.miek.nl AAAA
3. c.miek.nl A  

Where the answer to 3 will include a generated signature.

So lets query the nameserver on port 8053:

    ./queryperf -d data -s 127.0.0.1 -p 8053 -l 2 
    Queries per second:   7298.194728 qps

7000+ qps; a normal number.
Next directly query the online signing proxy on port 8054:

    ./queryperf -d data -s 127.0.0.1 -p 8054 -l 2
    Queries per second:   205.991306 qps

205 qps... that's onine signing for you: `S L O W`.

Next we use the caching proxy which caches the answers, 
we query on port 8055:

    ./queryperf -d data -s 127.0.0.1 -p 8055 -l 2
    Queries per second:   28521.826761 qps

Thats again more like it. 

So we have *fast* online signing in a *clean* way. 

Note: (excluding godns) the combined line count is
197 lines for `ns` and 450 for `funkensturm`.