[Opendnssec-user] Problems adding largish # of zones

Havard Eidnes he at uninett.no
Tue Dec 22 20:19:31 UTC 2015

>> Notice develop (1.4.8+) has a slightly different database layout
>> than 1.4.7. I'll work on a patch that applies on your version so
>> you don't have to upgrade..
> Fetch it from here.
> https://github.com/opendnssec/opendnssec/tree/1.4.7-tcp_queue_fix
> It has the patches applied on top op 1.4.7.

OK, I've applied this set of patches onto our local tree, and
we're now running with that code.


It now looks like OpenDNSSEC is even more eager to open sockets
and files, it's bumped into the open FD limit again, even though
I raised it even more.

And ... it looks like it likes to leave around FDs which
according to "netstat -f inet -n" are in CLOSE_WAIT state.  As I
see it, that means it's received a FIN from the remote, but the
application has yet to call close() on the socket.  I currently
count 335 such connections between the signer and the hidden
master, and according to "fstat", ths signer has 362 open TCP
connections.  No wonder it's running itself out of open FDs if
it's not cleaning up after itself...

Meanwhile, the instrumentation I've added to count the number of
active FDs is hovering at small figures:

Dec 22 21:11:17 signerhost ods-signerd: [xfrd] allocating new TCP connection: 4

but it's also complaining of exceeding the number of open files.
So... there's something which is "off" with the FD consumption.

This notion that OpenDNSSEC's resource limits (except, perhaps,
its memory footprint, although I have misgivings about that as
well) such as max TCP connections and max total open files needs
to scale with the number of zones it is configured to handle just
needs to go.  Anything else it not scaleable.


- Håvard
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list