[Opendnssec-user] Times to Sign Zone

Discussion:

Luciano Minuchin

2017-11-23 21:02:59 UTC

Hi, I'm doing performance tests verifying the times in signing zones.
I understand that it will depend a lot on the Hardware but with zones of
1.5MB (4000 registers approximately) the times are extremely long.
In my case the Hardware is 2 CPU and 2 GB Ram

Do you have time statistics?

Thanks.
Luciano.

Luciano Minuchin

2017-11-24 19:08:50 UTC

Permalink

1.3hs to sign a zone whit 1.5Mb of size.
This is normal?

Post by Luciano Minuchin
Hi, I'm doing performance tests verifying the times in signing zones.
I understand that it will depend a lot on the Hardware but with zones of
1.5MB (4000 registers approximately) the times are extremely long.
In my case the Hardware is 2 CPU and 2 GB Ram
Do you have time statistics?
Thanks.
Luciano.

Thomas E.

2017-11-24 19:24:43 UTC

Permalink

Hi Luciano,

are you using SoftHSM? If so, wich version? You can use ods-hsmspeed for
perfomance tesing.

You will find Information here:

https://wiki.opendnssec.org/display/SoftHSM/v1+Performance

//thomas

Post by Luciano Minuchin
1.3hs to sign a zone whit 1.5Mb of size.
This is normal?
Hi, I'm doing performance tests verifying the times in signing zones.
I understand that it will depend a lot on the Hardware but with
zones of 1.5MB (4000 registers approximately) the times are
extremely long.
In my case the Hardware is 2 CPU and 2 GB Ram
Do you have time statistics?
Thanks.
Luciano.
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Luciano Minuchin

2017-11-24 19:52:41 UTC

Permalink

Good information Thomas

- i Interactions, is the number of lines in the zone file? or the number
of domains?

Thanks!.

Post by Thomas E.
Hi Luciano,
are you using SoftHSM? If so, wich version? You can use ods-hsmspeed for
perfomance tesing.
https://wiki.opendnssec.org/display/SoftHSM/v1+Performance
//thomas

_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Jakob Schlyter

2017-11-24 21:35:33 UTC

Permalink

-i is the number of iterations, i.e., the number of crypto operations to run for testing (per thread).

jakob

Mark Elkins

2017-11-25 07:19:51 UTC

Permalink

Just a thought - if this is a virtual server (a memory size of 2 GB is
both suspicious and low), you are probably running out of "random"
entropy. You need "random" data to generate keys with - which in a
virtual server, may be slow for the kernel to generate.

i.e. - how long does it take to generate keys using the BIND tool:-
Â Â Â Â Â dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK example.com
Try that a few times in succession. If its not basically instant -
that's your problem.

Solution:Â Install the 'haveged' package, www.irisa.fr/caps/projects/hipsor

Post by Luciano Minuchin
1.3hs to sign a zone whit 1.5Mb of size.
This is normal?
2017-11-23 18:02 GMT-03:00 Luciano Minuchin
Hi, I'm doing performance tests verifying the times in signing zones.
I understand that it will depend a lot on the Hardware but with
zones of 1.5MB (4000 registers approximately) the times are
extremely long.
In my case the Hardware is 2 CPU and 2 GB Ram
Do you have time statistics?
Thanks.
Luciano.
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

--
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za