[Opendnssec-user] ods-auditor running for ever?

[Alexd at nominet.org.uk]

Hi Stephane -

> Signing a small zone works fine. Now, I tried to sign a copy of ".FR"
> (1.5 Mdomains, NSEC3, opt-out, two DS added) and the ods-auditor seems
> to run forever:
> 
>   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND  
> 27036 root      20   0  166m 119m 2932 R   99  1.5  21:24.13 ods-
> auditor 
> 
> It does not seem normal. The log says:
> 
> Oct 27 15:29:44 jezabel ods-signerd: use signature key: 
> f87fd06a95e8cd187c6d826a5905eaae
> Oct 27 15:29:44 jezabel ods-signerd: write to subp: :add_zsk 
> f87fd06a95e8cd187c6d826a5905eaae 7 256
> Oct 27 15:30:41 jezabel ods-signerd: signer stderr: signer: number 
> of signatures created: 144 (2 rr/sec) 
> Oct 27 15:30:41 jezabel ods-signerd: Created 144 new signatures
> Oct 27 15:30:41 jezabel ods-signerd: Run command: '/usr/local/
> libexec/opendnssec/finalizer -f /var/opendnssec/tmp/fr.signed'
> Oct 27 15:30:51 jezabel ods-signerd: Running auditor on zone
> Oct 27 15:30:51 jezabel ods-signerd: Run command: '/usr/local/bin/
> ods-auditor -c /etc/opendnssec/conf.xml -s /var/opendnssec/tmp/
> fr.finalized -z fr'

The auditor firstly sorts the zones. This can take some time (it uses the 
OS sort command to do this). It will then produce output. [I guess I 
should add output at the start, too.] Once the zones are sorted, then the 
auditor will run. Again, this can take some time.

A future version of OpenDNSSEC may have support for partial auditing. 
Until then, if you are signing a really large zone, and you don't need it 
to be fully audited, then disabling the auditor will speed up the process 
considerably. Of course, you may wish to run the auditor once, to make 
sure there are no issues with the zone, before disabling it.

Thanks,


Alex.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091027/61468639/attachment.htm>