[dnsdist] dnsdist and DoT HW acceleration (QAT)

[Aleš Rygl]

Hello,

     In would kindly ask you if anynone can share theis experience with 
HW acceleration/offloading of TLS operations.  In 1.8.0, experimental 
QAT support was announced. Is anyone using it?  We have a lot of TLS 
sessions due to DoT. When running it on bare metal HW (Xeon 5217/EPYC 
7313) we are struggling with CPU load. I am considering a HW upgrade and 
going for Xeon 5520 or 6538 with build-in accelerators - if they can be 
used of course. Preferably on Debian Linux.

I have a few questions - maybe someone here can advise me:

     1. What do I need to do to enable acceleration? My understanding is 
QAT device must be initialized (QAT lib, qatmgr), dnsdist has to call 
loadTLSProvider(). Does OpenSSL have do be compiled also with QAT 
support and configured to use QAT providers?
     2. Some Xeon CPUs have two QAT units. Is it somehow transparent to 
the applications? Does it simply mean that it is more powerful or does 
it have to be taken info account in configuration?

My AMD EPYC 7313  CPUs have hw support for AES-NI. From my understanding 
OpenSSL and dnsdist benefit from that and it is completely transparent, 
am I right?

Many thanks

Aleš

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20250131/5a567ebe/attachment.htm>