[Opendnssec-user] Meaning of the STATS output line

Sebastian Castro sebastian at nzrs.net.nz
Mon Dec 6 03:00:39 UTC 2010 

Matthijs Mekking wrote:
> Hi Sebastian,
> 

Hi Matthijs,

> On 12/03/2010 01:13 AM, Sebastian Castro wrote:
>> Hi:
> 
 >> - Should the sum of <N>+<U> extracted from RRSIG[new=<N> reused=<U> ..]
>> match the total number of signatures in the zone <T>? We've found some
>> strange cases where the numbers don't match, in particular <N>+<U> < <T>
> 
> I would suspect so. It sounds strange to me that it does not match. Here
> is how it works:
> 
> The signer loops over all signatures and see if they can be recycled. If
> so, I increment a counter that keeps track of reused signatures. If not,
> I just drop the signature.
> 
> Than, for all records that don't have a signature, I create one and put
> it in temporary memory. After creating all signatures, I add them to the
> RRset and for each signature I increment a counter that keeps track of
> created signatures.
> 
> I'll look into it a bit more why it could be that 'N+U < T'. If you have
> useful pointers of when this happens (key rollover, regular re-signing,
> updating signer configuration, updating zone content, ...),
> please let me know.

I gathered some data points to help with this:

- The zone is generated from the registration data once an hour, even if
the data hasn't changed. Each time a new serial number is produced. This
zone is loaded in BIND, which will take care of sending notifies to the
signing box.
- The signing box receives the notify and proceeds to pull the zone file
via AXFR. Once completed, the signing process is triggered.
- There were no key rollovers
- The number of signatures in the zone is 13, but the STATS line is
reporting 1 new and 4 reused in one run. After that we saved a copy of
the zone file. In the next run the STATS shows 2 new and 3 reused, but
if you compare both zones, there is one new signature (for the SOA record).
- We will keep collecting data in order to find a trend.


>> Finally, would be nice to have some documentation about what each stat
>> means :)
> 
> I have added some documentation to the wiki
> http://trac.opendnssec.org/wiki/Signer/Using/Running, which will see its
> way towards the OpenDNSSEC website when the actual 1.2 is released.
> Also, I have added some text about statistics in the signer README.
> Hopefully, this makes it clearer.

Thanks for this!
> 
> Thanks and best regards,
> 
> Matthijs

Best Regards,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list