[Opendnssec-user] Performance of dsseen command and many keys.

Erik P. Ostlyngen erik.ostlyngen at uninett.no
Mon Feb 18 12:09:21 UTC 2013


I've been doing some testing with opendnssec on a system with 800
zones, separate keys for each zone. Since the zones were added
simultaneously, the keys got ready to be activated at the same time.

It turned out that the ods-ksmutils --dsseen command, which had to be
run 800 times, was quite slow. It also kept the CPU busy and the kasp
DB locked for a long time. The reason seemed to be that the --dsseen
command notified the enforcer that the key data has changed. For each
notification, the enforcer looped over all the keys to see what had

I got around the problem by stopping the enforcer while issuing the
dsseen commands. Is this the recommended way of dealing with this
situation, or is it possible to stop the enforcer from being notified
between all the commands?

Best regards,
Erik Østlyngen

More information about the Opendnssec-user mailing list