[Opendnssec-user] Meaning of the STATS output line

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Dec 3 10:44:06 CET 2010

Hash: SHA1

Hi Sebastian,

On 12/03/2010 01:13 AM, Sebastian Castro wrote:
> Hi:
> In our testing environment we have been checking and gathering the
> statistics printed by the signer to keep an eye on the system. We've
> found a few strange things for what haven't found an answer:
> - Entries with 'RR[count=0 ...] ' for a non-empty zone. Those seem to
> occur when the signer reads the zone file to refresh signatures. When
> the zone is "fresh", the count is correct.

The count refers to the number of records read in the unsigned zone.
This value may be zero if on a re-sign, the unsigned zone was not taken
into account. The same is true for the NSEC(3)[count...

> - Should the sum of <N>+<U> extracted from RRSIG[new=<N> reused=<U> ..]
> match the total number of signatures in the zone <T>? We've found some
> strange cases where the numbers don't match, in particular <N>+<U> < <T>

I would suspect so. It sounds strange to me that it does not match. Here
is how it works:

The signer loops over all signatures and see if they can be recycled. If
so, I increment a counter that keeps track of reused signatures. If not,
I just drop the signature.

Than, for all records that don't have a signature, I create one and put
it in temporary memory. After creating all signatures, I add them to the
RRset and for each signature I increment a counter that keeps track of
created signatures.

I'll look into it a bit more why it could be that 'N+U < T'. If you have
useful pointers of when this happens (key rollover, regular re-signing,
updating signer configuration, updating zone content, ...),
please let me know.

> - Is there a particular reason why the time and rates are precise to the
> second? In the original patch to add some of that functionality (ref
> http://trac.opendnssec.org/ticket/20) I was using a time precision to
> the millisecond. In a production environment I think is useful to have
> higher precision.

There is no requirement for having such high detailed timings. The patch
for version 1.0 was easy to integrate, but for 1.2 we have a different
code base. So, there is not really a particular reason why this is:).
I'll see if the patch applies to version 1.2.

> Finally, would be nice to have some documentation about what each stat
> means :)

I have added some documentation to the wiki
http://trac.opendnssec.org/wiki/Signer/Using/Running, which will see its
way towards the OpenDNSSEC website when the actual 1.2 is released.
Also, I have added some text about statistics in the signer README.
Hopefully, this makes it clearer.

Thanks and best regards,

Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list