[Opendnssec-user] Signature delay for one zone has one million domains

Berry A.W. van Halderen berry at nlnetlabs.nl
Thu Mar 10 09:15:58 UTC 2016


On 03/10/2016 08:14 AM, yaohongyuan wrote:
> Hi all ,
>>        I had one zone which has about more than one million domains . 
>>        Recently noticed that when add a new domain under this zone almost cost 40 minutes . 
>>        But the other zones were regular worked , just cost about 1 minutes to sign one new incoming RR record.(from in-bind throw opendnssec to out-bind).
>>        All zones' config are the same . 
>>        Is if one zone more than one million domains will beyond the opendnssec's control ? (I think 1,000,000 is not a large number for opendnssec)
>>        And I did some change in config file , set re-sign per 5 minutes  , but the result is unsatisfactory ( from in-bind throw opendnssec to out-bind cost about 20+ minutes).

40 minutes is in excess of my expectations.  I would expect something
in the order of 5 minutes.  The delay is not caused by the signing
process, or likewise, but due to the fact that OpenDNSSEC makes sure
the entire zonefile is written such that it can possible start without
having to re-sign the entire zone.

To improve speed, make sure the /var/opendnssec/signer or
/var/opendnssec/tmp directory are one filesystems which are fast enough.

This handling could be improved and is a feature we'd like to implement.
There are some ideas, ideas can be sponsored..

On the positive site, a single change does take time, but you do not
have to wait before pushing in another change.  They are not handled
one by one I believe, but taken up a bunch at a time.  Since the pain
of writing the file is taken only one per bunch, the throughput it still
good, even though the latency would be needed to be improved.

With kind regards,
Berry van Halderen




More information about the Opendnssec-user mailing list