BIND - in loop rewrite zone serial no.

[Tony Finch]

Milan Jeskynka Kazatel <KazatelM at seznam.cz> wrote:
>
> could someone, please, help me with diagnostics, how can I check how many
> records are signed per cycle?

I looked at my zone transfer logs, which give the size of each IXFR
following a zone update. If you don't have any ixfr logs, then you can use
`named-journalprint` and look at the number of consecutive "add" and
"del" lines in each update.

The reason the sig-signing-* options don't have much effect on the size of
signing increments is a combination of two things: Firstly, `named` adds
random jitter to re-signing times to spread out the load, and when this is
combined with small sig-signing-* values and incremental updates, the
signing schedule will become increasingly fragmented; Secondly, there
isn't any option to de-fragment signing times, so that small updates get
re-signed in bigger chunks.

I inherited a patch from Chris Thompson to increase the hardcoded value
in `stop = now + 5` (see link below). This is what controls how much
defragmentation can happen - 5 seconds is not much! IIRC we adjusted it to
300 (5 minutes) but even something like 3600 would be reasonable, I think,
because then the sig-signing-* options would be the main limit on
re-signing work.

https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/dns/zone.c#L6787

I no longer use this patch because it's easier to run unpatched BIND in
production, and I didn't think it was important enough to turn into a
configuration option. Maybe I was wrong :-)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Irish Sea, Shannon: Southwest 5 to 7, increasing gale 8 at times. Moderate or
rough in Irish Sea, rough or very rough in Shannon. Rain at times, fog patches
at first in south. Moderate or good, occasionally very poor.