[ldns-users] ldns-verify-zone

Willem Toorop Willem at NLnetLabs.nl
Tue May 22 08:53:21 UTC 2012 

Hi Paul,

Op 21-05-12 22:07, Paul Wouters schreef:
> On Mon, 21 May 2012, Willem Toorop wrote:
> 
>> and command-line options for ldns-verify-zone for
>> validating against given keys
> 
> The man page and this description does not make it very
> clear what this validation option is.
> 
> Since a zone has the DNSKEY's in it to perform RRSIG verification,
> I assume this option means it can validate the DNSKEY RRset
> against other trust anchors (those specified with -k ?)

I copied the description from drill which already had such an option
with the same meaning.

dig has also a similar description with its +trusted-key=#### option.

It means that everything, signed with keys from the -k options, or with
keys that in their verification path are ultimately signed with a key
from those -k options, is considered valid. Provided that all other
conditions determining the validity are good too of course.

If the -S options is also given, one could provide the root key, and
that should ultimately validate. In that sense -k could be considered to
be an option providing the trust anchor(s).

> Running ldns-very-zone -a against a 1M zone was aborted after 8h:
> 
> real    834m21.494s
> user    0m0.000s
> sys     0m0.001s
> 
> Note it was using 100% of a single CPU until I killed it
> despite the user/sys time being zero.
> 
> Since -a means to only check the apex, I'm quite confused what it
> was actualy doing with the cpu.

ldns-verify-zone currently reads the whole zone into memory (as an
array), and then puts it in a red/black-tree. This is far from
efficient. Especially for sorted zones we expect quiet some improvements
with a sliding window technique (in which zones are processed while
reading).
ldns efficiency is high on the priority list for the next release and it
will certainly contain a much improved ldns-verify-zone in terms of
speed and memory requirements.

Though... I can not explain your numbers. On my desktop PC
ldns-read-zone takes

real	1m8.885s
user	1m15.821s
sys	0m1.244s

with a zone with 12M RRs. ldns-verify-zone takes for that zone:

real	3m19.718s
user	3m17.372s
sys	0m1.808s

For comparison, validns does it in:

real	0m14.144s
user	0m13.313s
sys	0m0.716s

So there is quiet a bit to improve here :/

-- Willem

More information about the ldns-users mailing list