[dns-operations] [DNSSEC] Looking for a zone verification tool
Miek Gieben
miek.gieben at sidn.nl
Wed Mar 2 09:47:34 UTC 2011
[ Quoting Sebastian Castro in "Re: [dns-operations] [DNSSEC] Looki"... ]
> > Looks like this hangs on figuring out what is glue.
> >
> > I think if you add an option (-d delegation only zone) which defines:
> > all A/AAAA records which don't have the same owner name as the soa
> > record are glue.
> >
>
> I took this idea, changed ldns-verify-zone and run some benchmark.
>
> Tested with two zones with ~25000 delegations and one with ~350000
> delegations, the -d option runs 20% faster.
>
> On the small zones, takes less than 1 minute to run, but on the big zone
> takes more than an hour, so is still unacceptable.
>
> The patch is attached.
There was another bottleneck. In
verify_dnssec_name() there is an if:
if (ldns_rr_list_contains_name(glue_rrs, name->name) &&
ldns_dnssec_name_has_only_a(name))
if you swap that to:
if (ldns_dnssec_name_has_only_a(name) &&
ldns_rr_list_contains_name(glue_rrs, name->name)
It makes it somewhat faster. I can do large zones in 60 seconds now.
I'll have to check if everything is OK. But I will post code soon
(and file a bug in ldns' bugtracker)
grtz Miek
More information about the dns-operations
mailing list