Thank you all for the answers. We do not use ixfr-from-differences on the actual zone, but on several others on the same server. Not sure how a BIND handles that scenario.
I will try to solve the problem by changing the max-journal-size. According to the docs https://kb.isc.org/docs/aa-01641 it cannot 'hurt' integrity to set a low value - but a value too low will affect performance. If I can't find a solution by lowering the max-journal-size, I will disable NSEC3 salt changes. Best regards Niels Haarbo DK Hostmaster A/S -----Original Message----- From: Ondřej Surý <ond...@isc.org> Sent: Tuesday, January 21, 2020 4:41 PM To: Niels Haarbo <haa...@dk-hostmaster.dk> Cc: bind-users@lists.isc.org Subject: Re: NSEC3 salt change - temporary performance decline Hi Niels, > On 21 Jan 2020, at 15:43, Niels Haarbo via bind-users > <bind-users@lists.isc.org> wrote: > > Hello BIND users > > Our DNSSEC signer changes NSEC3 salt every 30 days. The signer resigns all > the relevant records and the zone is transferred using IXFR to the > authoritative servers (6 nodes). Just don’t do that, there’s no sensible reason to change salt that often (or ever). I don’t know where the advice to change salt often comes from, but the advice has been wrong for so many years. > Two of the 6 authoritative servers (BIND 9.11.13 and 9.11.14) are affected by > a performance decline shortly after the change of salt. This has happened > after the last 3 changes of salt and the period of performance decline is > within 30 – 90 minutes. Most queries are dropped by the affected nodes during > the period. The normal rate is between 1.000 and 1.500 queries/second. > > Other nodes running NSD and Knot are not affected. > > What could be the reason for the performance decline? We are currently investigating performance degradation related to big IXFRs. Do you use ixfr-from-differences in your BIND configuration? You could try enforcing AFRX on salt change. This is currently tracked as https://gitlab.isc.org/isc-projects/bind9/issues/1447 and associated feature request: https://gitlab.isc.org/isc-projects/bind9/issues/1515 Ondrej -- Ondřej Surý ond...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users