[Opendnssec-user] About opendnssec signature performance
Yuri Schaeffer
yuri at nlnetlabs.nl
Thu Feb 9 08:44:15 UTC 2017
Hi Gaolei,
On 09-02-17 03:41, gaolei at zdns.cn wrote:
> I had one zone which has about more than 15,000,000 domains .
> Recently noticed that when add a new domain under this zone almost cost 10 minutes .
...
> We used opendnssec version is 1.4.10
> Could anybody please help me to fix this issue together?
Sadly this is a problem for OpenDNSSEC at the moment. The signer doesn't
scale well for very large zones. It is not the signing performance per
se, it will sign a large zone just fine, but a problem in handling
updates in such zones.
It is very high on our wishlist to straighten this out. We will work on
this as our main goal for OpenDNSSEC 2.2 and 2.3.
I can imagine these updates get quicker a bit when using nsec instead of
nsec3. But for big improvements we'll have to wait the development.
Other than that check the signers memory consumption and make sure the
OS doesn't need to swap. Also, the signer will write out all kinds of
backup/temporary files in /var/opendnssec. Make sure those files are on
fast storage.
Best regards,
Yuri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170209/4d2df845/attachment.bin>
More information about the Opendnssec-user
mailing list