[Opendnssec-user] Times to Sign Zone
Mark Elkins
mje at posix.co.za
Sat Nov 25 07:19:51 UTC 2017
Just a thought - if this is a virtual server (a memory size of 2 GB is
both suspicious and low), you are probably running out of "random"
entropy. You need "random" data to generate keys with - which in a
virtual server, may be slow for the kernel to generate.
i.e. - how long does it take to generate keys using the BIND tool:-
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -f KSK example.com
Try that a few times in succession. If its not basically instant -
that's your problem.
Solution: Install the 'haveged' package, www.irisa.fr/caps/projects/hipsor
On 24/11/2017 21:08, Luciano Minuchin wrote:
> 1.3hs to sign a zone whit 1.5Mb of size.
> This is normal?
>
> 2017-11-23 18:02 GMT-03:00 Luciano Minuchin
> <luciano.minuchin at gmail.com <mailto:luciano.minuchin at gmail.com>>:
>
> Hi, I'm doing performance tests verifying the times in signing zones.
> I understand that it will depend a lot on the Hardware but with
> zones of 1.5MB (4000 registers approximately) the times are
> extremely long.
> In my case the Hardware is 2 CPU and 2 GB Ram
>
> Do you have time statistics?
>
>
> Thanks.
> Luciano.
>
>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171125/0aeb53ed/attachment.htm>
More information about the Opendnssec-user
mailing list