[dns-operations] [DNSSEC] Looking for a zone verification tool

Vincent Levigneron levigner at nic.fr
Mon Mar 7 23:21:14 UTC 2011 

Thank you for your help,

You were right, it's far better if you switch the 2 conditions in this test. But the real 
bottleneck I found (I don't need to be clever while it's written in the the documentation :-)
is the call to ldns_zone_glue_rr_list. It takes more than 90% of the computing time for very
large zones.

I also had to modify the ldns library to accept the following kind of glues:

one.example.	NS one.example.
		NS ns1.foo.bar.
one.example.	A  1.2.3.4

Now, I can validate shorter versions of .fr zonefiles.
It's still unacceptable for the whole zone, but if we can improve glue processing, I'm
pretty sure this tool could fit our requirements.

Regards.
	
	Vincent.

le 02 Mar, Miek Gieben a écrit :
> [ Quoting Sebastian Castro in "Re: [dns-operations] [DNSSEC] Looki"... ]
> > > Looks like this hangs on figuring out what is glue. 
> > > 
> > > I think if you add an option (-d delegation only zone) which defines:
> > >     all A/AAAA records which don't have the same owner name as the soa
> > >     record are glue.
> > > 
> > 
> > I took this idea, changed ldns-verify-zone and run some benchmark.
> > 
> > Tested with two zones with ~25000 delegations and one with ~350000
> > delegations, the -d option runs 20% faster.
> > 
> > On the small zones, takes less than 1 minute to run, but on the big zone
> > takes more than an hour, so is still unacceptable.
> > 
> > The patch is attached.
> 
> There was another bottleneck. In 
> verify_dnssec_name() there is an if:
> 
> if (ldns_rr_list_contains_name(glue_rrs, name->name) &&
>     ldns_dnssec_name_has_only_a(name))
> 
> if you swap that to:
> 
> if (ldns_dnssec_name_has_only_a(name) &&
>                  ldns_rr_list_contains_name(glue_rrs, name->name)
> 
> It makes it somewhat faster. I can do large zones in 60 seconds now.
> 
> I'll have to check if everything is OK. But I will post code soon
> (and file a bug in ldns' bugtracker)
> 
> grtz Miek
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 

-- 
	Vincent Levigneron  A.F.N.I.C.  Vincent.Levigneron at nic.fr

More information about the dns-operations mailing list