-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Sebastian,
On 12/03/2010 01:13 AM, Sebastian Castro wrote: > Hi: > > In our testing environment we have been checking and gathering the > statistics printed by the signer to keep an eye on the system. We've > found a few strange things for what haven't found an answer: > > - Entries with 'RR[count=0 ...] ' for a non-empty zone. Those seem to > occur when the signer reads the zone file to refresh signatures. When > the zone is "fresh", the count is correct. The count refers to the number of records read in the unsigned zone. This value may be zero if on a re-sign, the unsigned zone was not taken into account. The same is true for the NSEC(3)[count... > - Should the sum of <N>+<U> extracted from RRSIG[new=<N> reused=<U> ..] > match the total number of signatures in the zone <T>? We've found some > strange cases where the numbers don't match, in particular <N>+<U> < <T> I would suspect so. It sounds strange to me that it does not match. Here is how it works: The signer loops over all signatures and see if they can be recycled. If so, I increment a counter that keeps track of reused signatures. If not, I just drop the signature. Than, for all records that don't have a signature, I create one and put it in temporary memory. After creating all signatures, I add them to the RRset and for each signature I increment a counter that keeps track of created signatures. I'll look into it a bit more why it could be that 'N+U < T'. If you have useful pointers of when this happens (key rollover, regular re-signing, updating signer configuration, updating zone content, ...), please let me know. > - Is there a particular reason why the time and rates are precise to the > second? In the original patch to add some of that functionality (ref > http://trac.opendnssec.org/ticket/20) I was using a time precision to > the millisecond. In a production environment I think is useful to have > higher precision. There is no requirement for having such high detailed timings. The patch for version 1.0 was easy to integrate, but for 1.2 we have a different code base. So, there is not really a particular reason why this is:). I'll see if the patch applies to version 1.2. > Finally, would be nice to have some documentation about what each stat > means :) I have added some documentation to the wiki http://trac.opendnssec.org/wiki/Signer/Using/Running, which will see its way towards the OpenDNSSEC website when the actual 1.2 is released. Also, I have added some text about statistics in the signer README. Hopefully, this makes it clearer. Thanks and best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJM+LvmAAoJEA8yVCPsQCW5ZIMIANAfxY3ANhS5RT34iM7JU1DK gS9HfBZ6Z69abm5ztgsoRSC7a4EIv6ty3R9Z9Ldqh1kHHjjUp7M3xezBpGqJRcWA Qd+NRfku/PXgngjHqU0fQIFwQ3NuhuvyP1en1CZnEf7LYahx2GvaFq+V6JVAxfZT I4sAhYoBMe7aucwLcn9mMCMN+lBTuYKQ+Nw70BnEK+ADEtnpQBaztBR9YV2ZhmLg bbZbG67PlJFuPLkHqI/s9Vih+RknKF8eiLsBtS/8be/1b42jvOWV0ffd0audvxRe TD2JBOZPPCAZurOKOmPCUA7giByn0W8rbjZi+p4GHZ4P9WACvcaOMJ7SC6/jAI8= =sjxb -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
