Matthijs Mekking wrote: > Hi Sebastian, > Hi Matthijs,
> On 12/03/2010 01:13 AM, Sebastian Castro wrote: >> Hi: > >> - Should the sum of <N>+<U> extracted from RRSIG[new=<N> reused=<U> ..] >> match the total number of signatures in the zone <T>? We've found some >> strange cases where the numbers don't match, in particular <N>+<U> < <T> > > I would suspect so. It sounds strange to me that it does not match. Here > is how it works: > > The signer loops over all signatures and see if they can be recycled. If > so, I increment a counter that keeps track of reused signatures. If not, > I just drop the signature. > > Than, for all records that don't have a signature, I create one and put > it in temporary memory. After creating all signatures, I add them to the > RRset and for each signature I increment a counter that keeps track of > created signatures. > > I'll look into it a bit more why it could be that 'N+U < T'. If you have > useful pointers of when this happens (key rollover, regular re-signing, > updating signer configuration, updating zone content, ...), > please let me know. I gathered some data points to help with this: - The zone is generated from the registration data once an hour, even if the data hasn't changed. Each time a new serial number is produced. This zone is loaded in BIND, which will take care of sending notifies to the signing box. - The signing box receives the notify and proceeds to pull the zone file via AXFR. Once completed, the signing process is triggered. - There were no key rollovers - The number of signatures in the zone is 13, but the STATS line is reporting 1 new and 4 reused in one run. After that we saved a copy of the zone file. In the next run the STATS shows 2 new and 3 reused, but if you compare both zones, there is one new signature (for the SOA record). - We will keep collecting data in order to find a trend. >> Finally, would be nice to have some documentation about what each stat >> means :) > > I have added some documentation to the wiki > http://trac.opendnssec.org/wiki/Signer/Using/Running, which will see its > way towards the OpenDNSSEC website when the actual 1.2 is released. > Also, I have added some text about statistics in the signer README. > Hopefully, this makes it clearer. Thanks for this! > > Thanks and best regards, > > Matthijs Best Regards, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
