[nsd-users] Using zonec to avoid O(N^2) complexity

Casper Gielen c.gielen at uvt.nl
Fri May 11 07:58:48 UTC 2012


On 05/10/2012 03:10 PM, Rick van Rein wrote:
> Hello,
> 
> Specifically, when combined with OpenDNSSEC which regularly
> reloads its N zones into the daemon, and if each reload takes
> N rebuilds, then the order of complexity is N^2.  And all
> that could be overcome by being able to rebuild, import and
> delete a single zone.
> 
> I've tried to use zonec for that purpose, but discovered that
> this drops all other zones from the database.  It can be read
> into the man page though, in retrospect ;-)

I've had the same experience. I've been told that this will be improved
in NSD4.
Not only was a lot of time wasted reloading NSD, it also caused all
kinds of problems such hangs, crashes and missed updates. Mind you, most
of this experinece is based on the ancient NSD2, NSD3 might be better.
In the end I wrote a wrapper script to handle nameserver restarts (both
NSD and Unbound). If a zones is reloaded any further commands will be
queued until the rebuild is done. Than another 'rebuild' is issued to
import any changes that were made inbetween.
I've attached the script.  The comments are in Dutch but I know you can
read that.
The first reload command gets executed directly.
The second command creates a waiting queue.
The third moves into the queue.
Then the Unbound-caches are flushed.
-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl


-------------- next part --------------
#!/usr/bin/env bash

# $Id: nameserver-reload 53506 2012-04-11 11:31:27Z cgielen $
# $URL: https://its-unix-vc.uvt.nl/its-unix/group/opendnssec/usr/local/sbin/nameserver-reload $

#  
# Herlaad de nameservers
#

LOCK1=/var/lock/nameserver-reload1
LOCK2=/var/lock/nameserver-reload2

list_zones()
{
	sed  -n 's/.*one name="\(.*\)".*/\1/gp' /etc/opendnssec/zonelist.xml
}

reload()
{
	# voorkom dat de nameservers honderd keer parallel worden opgestart
	if [ -e $LOCK2 ]; then 
		# Iemand anders wacht al om nsd te herladen, 
		# wij hoeven het niet ook nog een keer te doen.
		while [ -e $LOCK2 ]; do
			sleep 1;
		done
	else
		# NSD moet nog een keer herladen
		if [ ! -e $LOCK1 ]; then
			# direct aan de beurt, maak een nieuwe wachtrij
			echo $$ > $LOCK1
			LOCK=$LOCK1
		else
			# LOCK1 bestaat, ga in  de rij staan en wacht op je beurt
			echo $$ > $LOCK2
			while [ -e $LOCK1 ]; do
				sleep 1;
			done
			LOCK=$LOCK2
			sleep $(( $RANDOM % 5 ))
		fi
		trap 'rm -rf -- "$LOCK"' INT TERM EXIT

		sudo -u nsd /usr/sbin/nsdc rebuild && sudo -u nsd /usr/sbin/nsdc reload
		rm $LOCK
	fi

	if [ `hostname` == 'ramanujan' ];
	then
		if [ -z "$1" ];
		then
			# geen zone opgegeven -> alle zones herladen
			for zone in `list_zones` ; do
				sudo -u root /usr/sbin/nsd-notify -z $zone 137.56.247.39 	# haar 
				sudo -u root /usr/sbin/nsd-notify -z $zone 137.56.247.40	# pade
			done
			sudo -u root /usr/sbin/unbound-control -c /etc/unbound/tsingou.conf  -s 137.56.247.184 reload
			sudo -u root /usr/sbin/unbound-control -c /etc/unbound/ulam.conf     -s 137.56.247.185 reload
		#	sudo -u root /usr/sbin/unbound-control -c /etc/unbound/primeape.conf -s 137.56.165.66 reload
		else
			sudo -u root /usr/sbin/nsd-notify -z $1 137.56.247.39  # haar
			sudo -u root /usr/sbin/nsd-notify -z $1 137.56.247.40  # + pade
			sudo -u root /usr/sbin/unbound-control -c /etc/unbound/tsingou.conf  -s 137.56.247.184 flush_zone $1
			sudo -u root /usr/sbin/unbound-control -c /etc/unbound/ulam.conf     -s 137.56.247.185 flush_zone $1
			#sudo -u root /usr/sbin/unbound-control -c /etc/unbound/primeape.conf -s 137.56.165.66  flush_zone $1
		fi
	else
		# metagross
		if [ -z "$1" ];
		then
			sudo -u root /usr/sbin/unbound-control reload
		else
			sudo -u root /usr/sbin/unbound-control flush_zone $1
		fi

	fi

}

reload $* &
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120511/abf801dc/attachment.bin>


More information about the nsd-users mailing list