On 29/01/2020 11:50, Klaus Darilion wrote:
> Hello Niels!
>
> Thanks for bringing this to attention. I have reported it before [1][2]
> without response.
>
> We see this regulary. AFAIS it happens actually always, but if the IXFR
> is small, the performance decline is so short that you usually
Am 21.01.2020 um 16:40 schrieb Ondřej Surý:
> We are currently investigating performance degradation related to big IXFRs.
> Do you use ixfr-from-differences in your BIND configuration? You could try
> enforcing AFRX on salt change.
>
> This is currently tracked as
>
Hello Niels!
Thanks for bringing this to attention. I have reported it before [1][2]
without response.
We see this regulary. AFAIS it happens actually always, but if the IXFR
is small, the performance decline is so short that you usually won't
notice it.
The bigger the zonechange ie NSEC3
, January 21, 2020 4:41 PM
To: Niels Haarbo
Cc: bind-users@lists.isc.org
Subject: Re: NSEC3 salt change - temporary performance decline
Hi Niels,
> On 21 Jan 2020, at 15:43, Niels Haarbo via bind-users
> wrote:
>
> Hello BIND users
>
> Our DNSSEC signer changes NSEC3
NSEC3 is like a toilet window. You want it translucent, not transparent. For
that purpose, it serves well.
--
Ondřej Surý — ISC
> On 21 Jan 2020, at 17:05, Jim Reid wrote:
>
>
>
>> On 21 Jan 2020, at 15:59, Daniel Stirnimann
>> wrote:
>>
>> I agree that re-salting is kind of pointless
>
> On 21 Jan 2020, at 15:59, Daniel Stirnimann
> wrote:
>
> I agree that re-salting is kind of pointless
So, just like NSEC3 then? :-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
> Just don’t do that, there’s no sensible reason to change salt that often (or
> ever). I don’t know where the advice to change salt often comes from, but
> the advice has been wrong for so many years.
I agree that re-salting is kind of pointless (we still do it for .ch
though because so far
Hi Niels,
> On 21 Jan 2020, at 15:43, Niels Haarbo via bind-users
> wrote:
>
> Hello BIND users
>
> Our DNSSEC signer changes NSEC3 salt every 30 days. The signer resigns all
> the relevant records and the zone is transferred using IXFR to the
> authoritative servers (6 nodes).
Just don’t
8 matches
Mail list logo