[Opendnssec-develop] number of signatures generated

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Oct 28 14:33:08 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Could be true, but from the source code of the signer it looks pretty
straight-forward: created_sigs++ after hsm_sign_rrset and removed_sigs++
when not printing current signature.

Though created_sigs could be decreased when type covered is SOA.

Matthijs

Patrik Wallström wrote:
> I really don't understand the logging messages I see when test-signing  
> the .SE zone.
> 
> This is what is appended to the end of the signed zone:
> 
> ; Last refresh stats: existing: 870678, removed 1, created 6143
> 
> The number of generated signatures corresponds to the log message:
> Oct 28 12:29:13 dnssecsigner ods-signerd: signer stderr: signer:  
> number of signatures created: 6143 (62 rr/sec)
> Oct 28 12:29:13 dnssecsigner ods-signerd: Created 6143 new signatures
> 
> The parameters I use when test-signing is a lot shorted signature  
> lifetimes (2 days, with 6 hour jitter) than our real system. Which  
> means that a lot more signatures should be dropped and generated. So  
> my guess is that these counters don't really work... could this be true?
> 
>  From our real system, signing the same zone a day earlier:
> Oct 27 13:27:28 zonesign mksigned[14097]: signzone success = 876229
> Oct 27 13:27:28 zonesign mksigned[14097]: signzone retained = 839845
> Oct 27 13:27:28 zonesign mksigned[14097]: signzone generated = 36384
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJK6FYXAAoJEA8yVCPsQCW5xAcIALYzaIixAD2XXKm5b2q908mt
IEVvziz8I3GcMiazubFScKts4AKFofF0IDQudfgqiy6AVQ1MJJHosWbWuFrELyG7
kK/dKpDZnV88ciRHNGmLhX4l8aQKjO6Hb9Xw0OddpYyl0h9Zw1EKoQYZAGqbLvcV
DuO5Wuonv7MureihNtuMK7p28OqMvxFD9vLPXpZ0iJ3/2UqeFczQ8oQslL1j7ds5
vdwudKaCJcHzrV9gJKwfxGcatNIH7x14zd22ueiqwVri+6oPWi4kRoPqilliUqvi
V6uyKCsoDJPP6b4IMPH/rujxj/595Bc7eCl0HdpNp+iSAu2L3mID8OHvmR9w5SE=
=yoIn
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list