NSEC3 salt change - temporary performance decline

Klaus Darilion klaus.mailinglists at pernau.at
Wed Jan 29 11:50:13 UTC 2020


Hello Niels!

Thanks for bringing this to attention. I have reported it before [1][2]
without response.

We see this regulary. AFAIS it happens actually always, but if the IXFR
is small, the performance decline is so short that you usually won't
notice it.

The bigger the zonechange ie NSEC3 change, full resigning ....* the
longer is the performance decline and you will notice it more often.

*we don't resalt or resign completele - but this is what several of our
TLD customers do.

I hope it will be fixed soon, we already test other software.

regards
Klaus


[1] https://lists.isc.org/pipermail/bind-users/2018-March/099814.html
[2] https://lists.isc.org/pipermail/bind-users/2019-March/101579.html


Am 21.01.2020 um 15:43 schrieb Niels Haarbo via bind-users:
> Hello BIND users
> 
> Our DNSSEC signer changes NSEC3 salt every 30 days. The signer resigns all the relevant records and the zone is transferred using IXFR to the authoritative servers (6 nodes).
> 
> Two of the 6 authoritative servers (BIND 9.11.13 and 9.11.14) are affected by a performance decline shortly after the change of salt. This has happened after the last 3 changes of salt and the period of performance decline is within 30 - 90 minutes. Most queries are dropped by the affected nodes during the period. The normal rate is between 1.000 and 1.500 queries/second.
> 
> Other nodes running NSD and Knot are not affected.
> 
> What could be the reason for the performance decline?
> 
> Best regards
> 
> Niels Haarbo
> DK Hostmaster A/S
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 


More information about the bind-users mailing list