Re: NSEC3 salt change - temporary performance decline

2020-06-09 Thread Cathy Almond
On 29/01/2020 11:50, Klaus Darilion wrote: > Hello Niels! > > Thanks for bringing this to attention. I have reported it before [1][2] > without response. > > We see this regulary. AFAIS it happens actually always, but if the IXFR > is small, the performance decline is so short that you usually

Re: NSEC3 salt change - temporary performance decline

2020-01-29 Thread Klaus Darilion
Am 21.01.2020 um 16:40 schrieb Ondřej Surý: > We are currently investigating performance degradation related to big IXFRs. > Do you use ixfr-from-differences in your BIND configuration? You could try > enforcing AFRX on salt change. > > This is currently tracked as >

Re: NSEC3 salt change - temporary performance decline

2020-01-29 Thread Klaus Darilion
Hello Niels! Thanks for bringing this to attention. I have reported it before [1][2] without response. We see this regulary. AFAIS it happens actually always, but if the IXFR is small, the performance decline is so short that you usually won't notice it. The bigger the zonechange ie NSEC3

RE: NSEC3 salt change - temporary performance decline

2020-01-23 Thread Niels Haarbo via bind-users
, January 21, 2020 4:41 PM To: Niels Haarbo Cc: bind-users@lists.isc.org Subject: Re: NSEC3 salt change - temporary performance decline Hi Niels, > On 21 Jan 2020, at 15:43, Niels Haarbo via bind-users > wrote: > > Hello BIND users > > Our DNSSEC signer changes NSEC3

Re: NSEC3 salt change - temporary performance decline

2020-01-21 Thread Ondřej Surý
NSEC3 is like a toilet window. You want it translucent, not transparent. For that purpose, it serves well. -- Ondřej Surý — ISC > On 21 Jan 2020, at 17:05, Jim Reid wrote: > >  > >> On 21 Jan 2020, at 15:59, Daniel Stirnimann >> wrote: >> >> I agree that re-salting is kind of pointless >

Re: NSEC3 salt change - temporary performance decline

2020-01-21 Thread Jim Reid
> On 21 Jan 2020, at 15:59, Daniel Stirnimann > wrote: > > I agree that re-salting is kind of pointless So, just like NSEC3 then? :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users

Re: NSEC3 salt change - temporary performance decline

2020-01-21 Thread Daniel Stirnimann
> Just don’t do that, there’s no sensible reason to change salt that often (or > ever). I don’t know where the advice to change salt often comes from, but > the advice has been wrong for so many years. I agree that re-salting is kind of pointless (we still do it for .ch though because so far

Re: NSEC3 salt change - temporary performance decline

2020-01-21 Thread Ondřej Surý
Hi Niels, > On 21 Jan 2020, at 15:43, Niels Haarbo via bind-users > wrote: > > Hello BIND users > > Our DNSSEC signer changes NSEC3 salt every 30 days. The signer resigns all > the relevant records and the zone is transferred using IXFR to the > authoritative servers (6 nodes). Just don’t