Willem at NLnetLabs.nl
Tue May 22 08:53:21 UTC 2012
Op 21-05-12 22:07, Paul Wouters schreef:
> On Mon, 21 May 2012, Willem Toorop wrote:
>> and command-line options for ldns-verify-zone for
>> validating against given keys
> The man page and this description does not make it very
> clear what this validation option is.
> Since a zone has the DNSKEY's in it to perform RRSIG verification,
> I assume this option means it can validate the DNSKEY RRset
> against other trust anchors (those specified with -k ?)
I copied the description from drill which already had such an option
with the same meaning.
dig has also a similar description with its +trusted-key=#### option.
It means that everything, signed with keys from the -k options, or with
keys that in their verification path are ultimately signed with a key
from those -k options, is considered valid. Provided that all other
conditions determining the validity are good too of course.
If the -S options is also given, one could provide the root key, and
that should ultimately validate. In that sense -k could be considered to
be an option providing the trust anchor(s).
> Running ldns-very-zone -a against a 1M zone was aborted after 8h:
> real 834m21.494s
> user 0m0.000s
> sys 0m0.001s
> Note it was using 100% of a single CPU until I killed it
> despite the user/sys time being zero.
> Since -a means to only check the apex, I'm quite confused what it
> was actualy doing with the cpu.
ldns-verify-zone currently reads the whole zone into memory (as an
array), and then puts it in a red/black-tree. This is far from
efficient. Especially for sorted zones we expect quiet some improvements
with a sliding window technique (in which zones are processed while
ldns efficiency is high on the priority list for the next release and it
will certainly contain a much improved ldns-verify-zone in terms of
speed and memory requirements.
Though... I can not explain your numbers. On my desktop PC
with a zone with 12M RRs. ldns-verify-zone takes for that zone:
For comparison, validns does it in:
So there is quiet a bit to improve here :/
More information about the ldns-users