RE: NSEC3 salt change - temporary performance decline

2020-01-23 Thread Niels Haarbo via bind-users 
Thank you all for the answers.

We do not use ixfr-from-differences on the actual zone, but on several others 
on the same server. Not sure how a BIND handles that scenario.

I will try to solve the problem by changing the max-journal-size. According to 
the docs https://kb.isc.org/docs/aa-01641 it cannot 'hurt' integrity to set a 
low value - but a value too low will affect performance.

If I can't find a solution by lowering the max-journal-size, I will disable 
NSEC3 salt changes.

Best regards

Niels Haarbo
DK Hostmaster A/S


-Original Message-
From: Ondřej Surý  
Sent: Tuesday, January 21, 2020 4:41 PM
To: Niels Haarbo 
Cc: bind-users@lists.isc.org
Subject: Re: NSEC3 salt change - temporary performance decline

Hi Niels,

> On 21 Jan 2020, at 15:43, Niels Haarbo via bind-users 
>  wrote:
> 
> Hello BIND users
>  
> Our DNSSEC signer changes NSEC3 salt every 30 days. The signer resigns all 
> the relevant records and the zone is transferred using IXFR to the 
> authoritative servers (6 nodes).

Just don’t do that, there’s no sensible reason to change salt that often (or 
ever).  I don’t know where the advice to change salt often comes from, but the 
advice has been wrong for so many years.

> Two of the 6 authoritative servers (BIND 9.11.13 and 9.11.14) are affected by 
> a performance decline shortly after the change of salt. This has happened 
> after the last 3 changes of salt and the period of performance decline is 
> within 30 – 90 minutes. Most queries are dropped by the affected nodes during 
> the period. The normal rate is between 1.000 and 1.500 queries/second.
>  
> Other nodes running NSD and Knot are not affected.
>  
> What could be the reason for the performance decline?

We are currently investigating performance degradation related to big IXFRs.  
Do you use ixfr-from-differences in your BIND configuration?  You could try 
enforcing AFRX on salt change.

This is currently tracked as 
https://gitlab.isc.org/isc-projects/bind9/issues/1447

and associated feature request: 
https://gitlab.isc.org/isc-projects/bind9/issues/1515

Ondrej
--
Ondřej Surý
ond...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

NSEC3 salt change - temporary performance decline

2020-01-21 Thread Niels Haarbo via bind-users 
Hello BIND users

Our DNSSEC signer changes NSEC3 salt every 30 days. The signer resigns all the 
relevant records and the zone is transferred using IXFR to the authoritative 
servers (6 nodes).

Two of the 6 authoritative servers (BIND 9.11.13 and 9.11.14) are affected by a 
performance decline shortly after the change of salt. This has happened after 
the last 3 changes of salt and the period of performance decline is within 30 - 
90 minutes. Most queries are dropped by the affected nodes during the period. 
The normal rate is between 1.000 and 1.500 queries/second.

Other nodes running NSD and Knot are not affected.

What could be the reason for the performance decline?

Best regards

Niels Haarbo
DK Hostmaster A/S
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bootstrap inline signing

2019-01-18 Thread Niels Haarbo via bind-users 

Is it supported to bootstrap inline signing using dnssec-signzone?

  $ named-compilezone -f text -F raw -o example.raw example.com 
example.text


  $ dnssec-signzone -S -K /etc/bind/keys -O raw -3 ABCDEF -H 19 -A -o 
example.com -f example.raw.signed  example.text


and then load the two files (example.raw, example.raw.signed) into an 
inline signing configuration.


The solution is apparently working fine.

The reason for the above approach is performance. The initial inline 
signing is slow (several hours of computing) when signing a large zone. 
I have tried different values for "sig-signing-nodes" and 
"sig-signing-signatures" - but no luck.



--

Niels Haarbo,
DK Hostmaster A/S
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users