[Opendnssec-develop] 5000 zones - almost possible

sion at nominet.org.uk sion at nominet.org.uk
Thu Nov 12 01:31:11 UTC 2009


> What I can see is that OpenDNSSEC v1.0.0 is not suitable for
> handling a large number of zone, because of the time scales and
> memory problems.
>
> Conclusions:
> * MySQL makes the ods-ksmutil more responsive.

This is expected, not just because of blocking issues either, it is just
faster.

> * The auditor should not be used when signing a large number of zones.
> * ods-enforcerd has some problems with memory leaks.

I'll look into these as soon as I finish the KSK stuff; realistically this
will be next week.

> * OpenDNSSEC v1.0.0 cannot be used for signing a large number of zones.

I have done no optimisation for large numbers of zones. A very simple one
for shared keys would be to write out essentially the same file (just tweak
it) for all zones. (Note that it is also doing all the timing calculations
again.) Also there are no indexes on the tables, this should help.

The real fun comes when you do not share keys.

Sion




More information about the Opendnssec-develop mailing list