NSEC3 salt change - temporary performance decline

Ondřej Surý ondrej at isc.org
Tue Jan 21 15:40:49 UTC 2020

Hi Niels,

> On 21 Jan 2020, at 15:43, Niels Haarbo via bind-users <bind-users at lists.isc.org> wrote:
> Hello BIND users
> Our DNSSEC signer changes NSEC3 salt every 30 days. The signer resigns all the relevant records and the zone is transferred using IXFR to the authoritative servers (6 nodes).

Just don’t do that, there’s no sensible reason to change salt that often (or ever).  I don’t know where the advice to change salt often comes from, but the advice has been wrong for so many years.

> Two of the 6 authoritative servers (BIND 9.11.13 and 9.11.14) are affected by a performance decline shortly after the change of salt. This has happened after the last 3 changes of salt and the period of performance decline is within 30 – 90 minutes. Most queries are dropped by the affected nodes during the period. The normal rate is between 1.000 and 1.500 queries/second.
> Other nodes running NSD and Knot are not affected.
> What could be the reason for the performance decline?

We are currently investigating performance degradation related to big IXFRs.  Do you use ixfr-from-differences in your BIND configuration?  You could try enforcing AFRX on salt change.

This is currently tracked as https://gitlab.isc.org/isc-projects/bind9/issues/1447

and associated feature request: https://gitlab.isc.org/isc-projects/bind9/issues/1515

Ondřej Surý
ondrej at isc.org

More information about the bind-users mailing list