[nsd-users] Using zonec to avoid O(N^2) complexity

Casper Gielen c.gielen at uvt.nl
Fri May 11 07:58:48 UTC 2012

On 05/10/2012 03:10 PM, Rick van Rein wrote:
> Hello,
> Specifically, when combined with OpenDNSSEC which regularly
> reloads its N zones into the daemon, and if each reload takes
> N rebuilds, then the order of complexity is N^2.  And all
> that could be overcome by being able to rebuild, import and
> delete a single zone.
> I've tried to use zonec for that purpose, but discovered that
> this drops all other zones from the database.  It can be read
> into the man page though, in retrospect ;-)

I've had the same experience. I've been told that this will be improved
in NSD4.
Not only was a lot of time wasted reloading NSD, it also caused all
kinds of problems such hangs, crashes and missed updates. Mind you, most
of this experinece is based on the ancient NSD2, NSD3 might be better.
In the end I wrote a wrapper script to handle nameserver restarts (both
NSD and Unbound). If a zones is reloaded any further commands will be
queued until the rebuild is done. Than another 'rebuild' is issued to
import any changes that were made inbetween.
I've attached the script.  The comments are in Dutch but I know you can
read that.
The first reload command gets executed directly.
The second command creates a waiting queue.
The third moves into the queue.
Then the Unbound-caches are flushed.
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

-------------- next part --------------
#!/usr/bin/env bash

# $Id: nameserver-reload 53506 2012-04-11 11:31:27Z cgielen $
# $URL: https://its-unix-vc.uvt.nl/its-unix/group/opendnssec/usr/local/sbin/nameserver-reload $

# Herlaad de nameservers


	sed  -n 's/.*one name="\(.*\)".*/\1/gp' /etc/opendnssec/zonelist.xml

	# voorkom dat de nameservers honderd keer parallel worden opgestart
	if [ -e $LOCK2 ]; then 
		# Iemand anders wacht al om nsd te herladen, 
		# wij hoeven het niet ook nog een keer te doen.
		while [ -e $LOCK2 ]; do
			sleep 1;
		# NSD moet nog een keer herladen
		if [ ! -e $LOCK1 ]; then
			# direct aan de beurt, maak een nieuwe wachtrij
			echo $$ > $LOCK1
			# LOCK1 bestaat, ga in  de rij staan en wacht op je beurt
			echo $$ > $LOCK2
			while [ -e $LOCK1 ]; do
				sleep 1;
			sleep $(( $RANDOM % 5 ))
		trap 'rm -rf -- "$LOCK"' INT TERM EXIT

		sudo -u nsd /usr/sbin/nsdc rebuild && sudo -u nsd /usr/sbin/nsdc reload
		rm $LOCK

	if [ `hostname` == 'ramanujan' ];
		if [ -z "$1" ];
			# geen zone opgegeven -> alle zones herladen
			for zone in `list_zones` ; do
				sudo -u root /usr/sbin/nsd-notify -z $zone 	# haar 
				sudo -u root /usr/sbin/nsd-notify -z $zone	# pade
			sudo -u root /usr/sbin/unbound-control -c /etc/unbound/tsingou.conf  -s reload
			sudo -u root /usr/sbin/unbound-control -c /etc/unbound/ulam.conf     -s reload
		#	sudo -u root /usr/sbin/unbound-control -c /etc/unbound/primeape.conf -s reload
			sudo -u root /usr/sbin/nsd-notify -z $1  # haar
			sudo -u root /usr/sbin/nsd-notify -z $1  # + pade
			sudo -u root /usr/sbin/unbound-control -c /etc/unbound/tsingou.conf  -s flush_zone $1
			sudo -u root /usr/sbin/unbound-control -c /etc/unbound/ulam.conf     -s flush_zone $1
			#sudo -u root /usr/sbin/unbound-control -c /etc/unbound/primeape.conf -s  flush_zone $1
		# metagross
		if [ -z "$1" ];
			sudo -u root /usr/sbin/unbound-control reload
			sudo -u root /usr/sbin/unbound-control flush_zone $1



reload $* &
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120511/abf801dc/attachment.bin>

More information about the nsd-users mailing list