[opendnssec-user]Delete All Zones Error Using Mysql

Jerry Lundström jerry at opendnssec.org
Mon Oct 15 08:11:26 UTC 2012


Hi,

On Oct 15, 2012, at 07:01 , 刘硕 wrote:

> I'm using Mysql instead of Sqlite, I have imported 500 zones, when I tried to delete all the zones using 'ods-ksmutil zone delete --all', 
> I got
> '
> ERROR: error executing SQL - Cannot delete or update a parent row: a foreign key constraint fails (`KASP`.`dnsseckeys`, CONSTRAINT `dnsseckeys_ibfk_1` FOREIGN KEY (`zone_id`) REFERENCES `zones` (`id`))
> ERROR: database operation failed - Cannot delete or update a parent row: a foreign key constraint fails (`KASP`.`dnsseckeys`, CONSTRAINT `dnsseckeys_ibfk_1` FOREIGN KEY (`zone_id`) REFERENCES `zones` (`id`))
> Error: failed to remove zone from database
> '
> I think OpenDNSSEC wants to delete data in table dnsseckeys but forgets to delete data in table zones first?
> 
> And I also got messages bellow when I tried to list the zones in db:
> Found zone test1 in DB but not zonelist.
> Found zone test2 in DB but not zonelist.

I have bug reported this now, https://issues.opendnssec.org/browse/OPENDNSSEC-338 .

> P.S. Is OpenDNSSEC suitable for managing thousands of small zones with <ShareKeys> enabled?


Yes but it depends on your policy. The Enforcer in 1.3 today checks the zones (to generate new keys and signer configs) in a serial manner and if you have thousands of zones this will take a while. In 1.4 the Enforcer has the capabilities to do this in multiple threads and that basically cuts the time by the number of cores/threads you give it. And of course it also depends on the hardware you have.

What you need to do is to setup your environment with as many zone that you are going to have then check the syslog how long it takes the Enforcer to run through all the zones and then adjust the interval of the Enforcer to fit your needs.

In the up coming 2.0 version we have rewritten the Enforcer from scratch to handle this type of scenario better.

/Jerry

--
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/




More information about the Opendnssec-user mailing list