Hi Niels, > On 21 Jan 2020, at 15:43, Niels Haarbo via bind-users > <bind-users@lists.isc.org> wrote: > > Hello BIND users > > Our DNSSEC signer changes NSEC3 salt every 30 days. The signer resigns all > the relevant records and the zone is transferred using IXFR to the > authoritative servers (6 nodes).
Just don’t do that, there’s no sensible reason to change salt that often (or ever). I don’t know where the advice to change salt often comes from, but the advice has been wrong for so many years. > Two of the 6 authoritative servers (BIND 9.11.13 and 9.11.14) are affected by > a performance decline shortly after the change of salt. This has happened > after the last 3 changes of salt and the period of performance decline is > within 30 – 90 minutes. Most queries are dropped by the affected nodes during > the period. The normal rate is between 1.000 and 1.500 queries/second. > > Other nodes running NSD and Knot are not affected. > > What could be the reason for the performance decline? We are currently investigating performance degradation related to big IXFRs. Do you use ixfr-from-differences in your BIND configuration? You could try enforcing AFRX on salt change. This is currently tracked as https://gitlab.isc.org/isc-projects/bind9/issues/1447 and associated feature request: https://gitlab.isc.org/isc-projects/bind9/issues/1515 Ondrej -- Ondřej Surý ond...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
