NSEC3 salt change - temporary performance decline
Daniel Stirnimann
daniel.stirnimann at switch.ch
Tue Jan 21 15:59:39 UTC 2020
> Just don’t do that, there’s no sensible reason to change salt that often (or ever). I don’t know where the advice to change salt often comes from, but the advice has been wrong for so many years.
I agree that re-salting is kind of pointless (we still do it for .ch
though because so far I've been to lazy to change the code) but here is
one reference where it is recommended.
The salt SHOULD be changed periodically to prevent pre-computation
using a single salt. It is RECOMMENDED that the salt be changed for
every re-signing.
https://tools.ietf.org/html/rfc5155#appendix-C.1
>> What could be the reason for the performance decline?
>
> We are currently investigating performance degradation related to big IXFRs. Do you use ixfr-from-differences in your BIND configuration? You could try enforcing AFRX on salt change.
I use "max-journal-size" to force AXFR on big changes. A good value
depends on your zone size.
Daniel
More information about the bind-users
mailing list