[Opendnssec-user] Times to Sign Zone

Mark Elkins mje at posix.co.za
Sat Nov 25 07:19:51 UTC 2017

Just a thought - if this is a virtual server (a memory size of 2 GB is
both suspicious and low), you are probably running out of "random"
entropy. You need "random" data to generate keys with - which in a
virtual server, may be slow for the kernel to generate.

i.e. - how long does it take to generate keys using the BIND tool:-
      dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK example.com
Try that a few times in succession. If its not basically instant -
that's your problem.

Solution:  Install the 'haveged' package, www.irisa.fr/caps/projects/hipsor

On 24/11/2017 21:08, Luciano Minuchin wrote:
> 1.3hs to sign a zone whit 1.5Mb of size.
> This is normal?
> 2017-11-23 18:02 GMT-03:00 Luciano Minuchin
> <luciano.minuchin at gmail.com <mailto:luciano.minuchin at gmail.com>>:
>     Hi, I'm doing performance tests verifying the times in signing zones.
>     I understand that it will depend a lot on the Hardware but with
>     zones of 1.5MB (4000 registers approximately) the times are
>     extremely long.
>     In my case the Hardware is 2 CPU and 2 GB Ram
>     Do you have time statistics?
>     Thanks.
>     Luciano.
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171125/0aeb53ed/attachment.htm>

More information about the Opendnssec-user mailing list