[Opendnssec-user] Immediate sign & locking issue (1.4.0a2)

Jerry Lundström jerry at opendnssec.org
Mon Jul 2 11:56:09 UTC 2012

Hi Sander,

On Jul 2, 2012, at 11:46 , Sander Smeenk wrote:
> Not at all to discredit the hard work you guys put in OpenDNSSEC but
> this enforcer design implementation of OpenDNSSEC also fits the 'we
> only manage one or two zones, not fourteenthousand'-mindset, imho.

Enforcer NG (OpenDNSSEC 2.0.0) will handle 'many zones'-setup a lot better and we are also in the process of writing system setup guides for various setups (small/large/many).

There is also an experimental branch (http://svn.opendnssec.org/home/jerry/OpenDNSSEC-1.3-multithread-enforcerd/) that uses threads in parts of the enforcer for 1.3 (and 1.4), this enables you to configure how many threads the enforcer should use to process zones. I tested it on a VirtualBox Ubuntu 10.04.3 on a slow usb disk using SQLite backend and 1000 zones, it cut processing time from 1 min to 10 seconds.

If you wish to try it for 1.4.0a2 let me know and I'll create a patch for you.

>> Using MySQL should fix the issue, we do no locking then.
> I'll try to switch to MySQL then. Quite possibly the enforcer runs will
> speed up significantly from that too. 

Right now the MySQL backend is A LOT faster then SQLite on certain platforms mostly because it handles transactions and disk I/O better. I have also seen that SQLite does not seem to work that well on FreeBSD, 1000 zones taking an hour to process when it should take a minute or two at most.

> Is there any experience on this list with switching to MySQL coming
> from SQLite that people want to share?

Sadly, there aren't any migration/conversion tools for this today but we'll see what we can do.


Jerry Lundström - OpenDNSSEC Developer

More information about the Opendnssec-user mailing list