Discussion:
[Opendnssec-user] Signature delay for one zone has one million domains
yaohongyuan
2016-03-10 07:14:45 UTC
Permalink
Hi all ,
I had one zone which has about more than one million domains .
Recently noticed that when add a new domain under this zone almost cost 40 minutes .
But the other zones were regular worked , just cost about 1 minutes to sign one new incoming RR record.(from in-bind throw opendnssec to out-bind).
All zones' config are the same .
Is if one zone more than one million domains will beyond the opendnssec's control ? (I think 1,000,000 is not a large number for opendnssec)
And I did some change in config file , set re-sign per 5 minutes , but the result is unsatisfactory ( from in-bind throw opendnssec to out-bind cost about 20+ minutes).
Performance test for our HSM , result is 2600 RR/S , but from log the avg is so far from this.
Jan 27 16:42:24 SST03 ods-signerd: [STATS] XX 1453884069 RR[count=1 time=1(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=9 reused=1035661 time=34(sec) avg=0(sig/sec)] TOTAL[time=76(sec)]
Jan 27 16:58:13 SST03 ods-signerd: [query] incoming notify for zone XX
Jan 27 16:58:13 SST03 ods-signerd: [query] ignore notify from localhost: zone XX transfer in progress
How could I speed up the opendnssec to sign this zone timely ?
Could I deploy the opendnssec into a distributed cluster server to increase the opendnssec's processing speed?
We used opendnssec version is 1.4.7.
Could anybody please help me to fix this issue together?
Current I use a 128G memory's machine to do the same work that didn't use the swap , but it's not work the Signature delay about 30 minutes , and from system log below words frequently appeared.
Jan 27 16:58:13 SST03 ods-signerd: [query] incoming notify for zone XX
Jan 27 16:58:13 SST03 ods-signerd: [query] ignore notify from localhost: zone XX transfer in progress
With kind regards, Dean
Berry A.W. van Halderen
2016-03-10 09:15:58 UTC
Permalink
Post by yaohongyuan
Hi all ,
I had one zone which has about more than one million domains .
Recently noticed that when add a new domain under this zone almost cost 40 minutes .
But the other zones were regular worked , just cost about 1 minutes to sign one new incoming RR record.(from in-bind throw opendnssec to out-bind).
All zones' config are the same .
Is if one zone more than one million domains will beyond the opendnssec's control ? (I think 1,000,000 is not a large number for opendnssec)
And I did some change in config file , set re-sign per 5 minutes , but the result is unsatisfactory ( from in-bind throw opendnssec to out-bind cost about 20+ minutes).
40 minutes is in excess of my expectations. I would expect something
in the order of 5 minutes. The delay is not caused by the signing
process, or likewise, but due to the fact that OpenDNSSEC makes sure
the entire zonefile is written such that it can possible start without
having to re-sign the entire zone.

To improve speed, make sure the /var/opendnssec/signer or
/var/opendnssec/tmp directory are one filesystems which are fast enough.

This handling could be improved and is a feature we'd like to implement.
There are some ideas, ideas can be sponsored..

On the positive site, a single change does take time, but you do not
have to wait before pushing in another change. They are not handled
one by one I believe, but taken up a bunch at a time. Since the pain
of writing the file is taken only one per bunch, the throughput it still
good, even though the latency would be needed to be improved.

With kind regards,
Berry van Halderen

Loading...