[Opendnssec-user] Performance of dsseen command and many keys.

Siôn Lloyd sion at nominet.org.uk
Mon Feb 18 14:31:03 UTC 2013

On 18/02/13 12:09, Erik P. Ostlyngen wrote:
> Hi,
> I've been doing some testing with opendnssec on a system with 800
> zones, separate keys for each zone. Since the zones were added
> simultaneously, the keys got ready to be activated at the same time.
> It turned out that the ods-ksmutils --dsseen command, which had to be
> run 800 times, was quite slow. It also kept the CPU busy and the kasp
> DB locked for a long time. The reason seemed to be that the --dsseen
> command notified the enforcer that the key data has changed. For each
> notification, the enforcer looped over all the keys to see what had
> changed.
> I got around the problem by stopping the enforcer while issuing the
> dsseen commands. Is this the recommended way of dealing with this
> situation, or is it possible to stop the enforcer from being notified
> between all the commands?
> Best regards,
> Erik Østlyngen

Hi Erik,

stopping the enforcer while running your multiple dsseen commands is
currently the only way to cope with this sort of situation.

If you like we could create a feature request for adding a flag to not
nudge the enforcer when the dsseen command is issued? Alternatively you
can create a request yourself at https://issues.opendnssec.org , the
advantage there is that you will get notified of progress and versions
that the feature gets added to, etc.

Thank you,


More information about the Opendnssec-user mailing list