[Opendnssec-develop] RE: 1.2.0 with 50000 zones

Nick van den Heuvel nick.vandenheuvel at sidn.nl
Fri Mar 18 11:48:41 UTC 2011

I did try the same (signing 50.000 zones). The signer stops signing after about 12.000 zones. When the enforcer has finished his work, I will shut down the system and do a restart of ods.

Below you can find a small part of the logging:

Mar 18 12:44:33 DEVELOPER15 ods-enforcerd: Policy for 13777small.ods set to default.

Mar 18 12:44:33 DEVELOPER15 ods-enforcerd: Config will be output to /var/opendnssec/signconf/13777small.ods.xml.

Mar 18 12:44:34 DEVELOPER15 ods-enforcerd: INFO: Promoting ZSK from publish to active as this is the first pass for the zone

Mar 18 12:44:34 DEVELOPER15 ods-enforcerd: WARNING: Making non-backed up ZSK active, PLEASE make sure that you know the potential problems of using keys which are not recoverable

Mar 18 12:44:34 DEVELOPER15 ods-enforcerd: Zone 13778small.ods found.

Nick van den Heuvel


SIDN | Utrechtseweg 310 | 6812 AR | Postbus 5022 | 6802 EA | ARNHEM

T +31 (0)26 352 55 00 | F +31 (0)26 352 55 05

nick.vandenheuvel at sidn.nl | www.sidn.nl

-----Original Message-----
From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec-develop-bounces at lists.opendnssec.org] On Behalf Of Patrik Wallström
Sent: woensdag 16 februari 2011 9:37
To: opendnssec-develop at lists.opendnssec.org
Subject: [Opendnssec-develop] 1.2.0 with 50000 zones

So I have now 50000 zones in the system. Previous to the start I had added 20500 zones which both the signer and the enforcer was happy with. After shutting down the system and added another 29500 zones I  synced the database to zonelist.xml and started it again with ods-control start.

Both the enforcer and the signer started as excepted. The enforcer happily generated all the signconf files, and the signer started doing its thing. However, after coming back this morning, the enforcer was finished having a full 50000 signconfigs in the signconf directory. But the signer only knew about 21823 zones, which was the number both in the queue and in the tmp and signed directories. So, somehow there was some sort of miscommunication between the two components. After shutting down the system, and started the signer again, the signer was working as expected.

Any thoughts on this? Why isn't the signer picking up all the signconfs?


Patrik Wallström

Project Manager, R&D

.SE (Stiftelsen för Internetinfrastruktur)

E-mail: patrik.wallstrom at iis.se

Web: http://www.iis.se/


Opendnssec-develop mailing list

Opendnssec-develop at lists.opendnssec.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20110318/34915627/attachment.htm>

More information about the Opendnssec-develop mailing list