On 03/10/2016 08:14 AM, yaohongyuan wrote: > Hi all , >> I had one zone which has about more than one million domains . >> Recently noticed that when add a new domain under this zone almost >> cost 40 minutes . >> But the other zones were regular worked , just cost about 1 minutes >> to sign one new incoming RR record.(from in-bind throw opendnssec to >> out-bind). >> All zones' config are the same . >> Is if one zone more than one million domains will beyond the >> opendnssec's control ? (I think 1,000,000 is not a large number for >> opendnssec) >> And I did some change in config file , set re-sign per 5 minutes , >> but the result is unsatisfactory ( from in-bind throw opendnssec to out-bind >> cost about 20+ minutes).
40 minutes is in excess of my expectations. I would expect something in the order of 5 minutes. The delay is not caused by the signing process, or likewise, but due to the fact that OpenDNSSEC makes sure the entire zonefile is written such that it can possible start without having to re-sign the entire zone. To improve speed, make sure the /var/opendnssec/signer or /var/opendnssec/tmp directory are one filesystems which are fast enough. This handling could be improved and is a feature we'd like to implement. There are some ideas, ideas can be sponsored.. On the positive site, a single change does take time, but you do not have to wait before pushing in another change. They are not handled one by one I believe, but taken up a bunch at a time. Since the pain of writing the file is taken only one per bunch, the throughput it still good, even though the latency would be needed to be improved. With kind regards, Berry van Halderen _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
