Uploaded image for project: 'Support'
  1. Support
  2. SUPPORT-264

Long signing times after resalt & key rollover, solved by restart

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.1.8
    • Fix Version/s: None
    • Component/s: Signer
    • Labels:
      None
    • Environment:

      .NL TLD
      Signing of a very large zone
      Linux
      Scripting -> ODS -> HSM -> Scripting -> Named

      Description

      In accordance with Berry's and our wishes, a bug report on an issue we experienced in june.

      A resalting of the .NL zone was performed by ODS.
      A ZSK rollover for the .NL zone was performed by ODS not long after, maybe during.
      This resulted in resigning of many records (10thousands per half hour), which was expected.
      It also resulted in strange sign times: before the process took about 6m, during resigning and also after the resigning was completed, the process often took up to 20m.
      Problem was solved when we followed Berry's advice to restart ODS.
      After the restart we went back to 6m, despite a new period of resigning (also 10thousands per half hour).

      Berry suspects "Cache thrashing" but wants to investigate further.

       

      Example:

      14:06:02 ods-signerd: zone nl scheduled for immediate re-sign
      14:06:02 journal: check_and_sign nl: handed off signing to ods
      14:06:02 journal: check_and_sign nl: /usr/local/zonefile/bin/check_and_sign done
      14:06:02 ods-signerd: [adapter] read zone nl from file input adapter /var/lib/opendnssec/unsigned/nl/nl
      ... +6m
      14:12:10 ods-signerd: [adapter] write zone nl serial 2021062128 to output file adapter /var/lib/opendnssec/signed/nl/nl
      14:14:35 ods-signerd: [tools] notify nameserver: /usr/local/zonefile/bin/check_and_publish
      ... +8m
      14:22:16 ods-signerd: [STATS] nl 2021062128 RR[count=603 time=154(sec)] NSEC3[count=177 time=1(sec)] RRSIG[new=2532 reused=6954644 time=214(sec) avg=11(sig/sec)] TOTAL[time=974(sec)]

      ===========================================================================

      22:06:02 ods-signerd: zone nl scheduled for immediate re-sign
      22:06:02 journal: check_and_sign nl: handed off signing to ods
      22:06:02 journal: check_and_sign nl: /usr/local/zonefile/bin/check_and_sign done
      22:06:02 ods-signerd: [adapter] read zone nl from file input adapter /var/lib/opendnssec/unsigned/nl/nl
      ... +15m
      22:21:40 ods-signerd: [adapter] write zone nl serial 2021062144 to output file adapter /var/lib/opendnssec/signed/nl/nl
      22:28:30 ods-signerd: [tools] notify nameserver: /usr/local/zonefile/bin/check_and_publish
      ... +8m
      22:36:11 ods-signerd: [STATS] nl 2021062144 RR[count=158 time=723(sec)] NSEC3[count=69 time=1(sec)] RRSIG[new=2472 reused=6955062 time=215(sec) avg=11(sig/sec)] TOTAL[time=1809(sec)]

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            unixbeheer unixbeheer@sidn.nl
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: