[Opendnssec-user] Problems adding largish # of zones

Yuri Schaeffer yuri at nlnetlabs.nl
Thu Dec 17 20:20:54 UTC 2015

Hash: SHA1


> My initial reaction is that this will make OpenDNSSEC into the 
> local network villain, and will create a "thundering herd" of TCP 
> connections on startup, possibly overwhelming the upstream auth 
> name server (which in our case also does other things than feed 
> OpenDNSSEC its zones(!)).

Yes, that is a very valid concern. I'd like to stress once more we do
not think of this as a solution but rather a short term patch to get
you going.

> If the signer wants to read a zone file, and the zone file isn't 
> there, do a zone transfer if configured to do so, and wait for it 
> to complete before proceeding, instead of "retrying".  If there's 
> no connection slot available, take a place in the queue, and don't
> simply declare "input adapter failed" and *not* initiate a zone
> transfer, and spin around ever more slowly trying to read a zone
> file which won't be there until a zone transfer is actually 
> attempted.  (That's what the behaviour looks like reading the log 
> files, which seems an awfully clumsy way to go about these 
> things...)

Agreed. Though at this point it is not crystal clear to me how the
current implementation is supposed to work. Personally I'm still in
the process to fully comprehend the code and not in the position to
apply major surgery.

> But ... this partly depends on what you actually mean when you say
> "the number of zones you are adding at once".  I can think of a
> couple of interpretations:
> 1) The number of zones configured where there's no cached file 
> on-disk, i.e. the number of configured zones.  When I get the 
> dreaded "soamin not set" assertion (which unhelpfully doesn't point
> to *which* zone or which file which triggers this error condition,
> possibly I'll take a look at fixing that), I as an operator have no
> other recourse than to remove all the cached files.  So am I then
> "adding the number of configured zones" (in my case, at present,
> 368).
> 2) The number of zones added in one batch, with "zone add" and 
> counted when you do the corresponding "update zonelist"?  This is
> in our situation usually quite modest, except for the round where I
> 2-3 weeks ago added around 300 in one go.
> Or perhaps "both 1 and 2"?

Yes, the cause is this connection list filling up. Both 1 and 2 add to

Version: GnuPG v2

Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list