More than 13,000 signatures per second

We are now working with the v1.3 release, which will add support for multithreaded signing. The current version of OpenDNSSEC only uses one thread when signing a single zone, which means that you will most likely not get the maximum performance out of your HSM. As our review of HSMs showed us, you’ll need to have multiple connections (threads) to your HSM in order to get 100% performance.

OpenDNSSEC has “workers” which will handle the tasks of each zone. Each worker is single threaded, but using multiple workers will give the effect of multi threading. This requires you to have multiple zones. However, an environment with large amount of signatures and frequent updates typically fits the profile of a single large zone (TLD).

We have now changed the design so that each worker will add RRsets to a signing queue, where a pool of signer threads (called “drudgers”) can grab a signing task and perform it. The number of workers and drudgers can be configured in the configuration (conf.xml). The default value is to have 4 WorkerThreads and 4 SignerThreads. If the SignerThreads tag is not present, it will have the same value as the WorkerThreads. This is so that old configuration files will get the benefit of multithreaded signing.

Below you can find how long time it takes to sign the .se-zone (serial 2010121504) using NSEC, plain NSEC3, and NSEC3 Opt-Out. We are using the SCA6000 with 80 SignerThreads. RSA/SHA-1 with 2048-bit KSK and 1024-bit ZSK. NSEC3 with 5 iterations and salt length 8.

All we have to do now is some more testing before doing a release.

OpenDNSSEC v1.3.0-trunk

[STATS] se RR[count=2322389 time=46(sec)] NSEC[count=998562 time=20(sec)] RRSIG[new=1002849 reused=0 time=74(sec) avg=13552(sig/sec)] TOTAL[time=170(sec)]

Plain NSEC3
[STATS] se RR[count=2322389 time=46(sec)] NSEC3[count=998603 time=27(sec)] RRSIG[new=1002891 reused=0 time=74(sec) avg=13552(sig/sec)] TOTAL[time=182(sec)]

NSEC3 Opt-Out
[STATS] se RR[count=2322389 time=46(sec)] NSEC3[count=4265 time=4(sec)] RRSIG[new=8553 reused=0 time=1(sec) avg=8553(sig/sec)] TOTAL[time=63(sec)]

OpenDNSSEC v1.2-branch

[STATS] se RR[count=2322389 time=56(sec)] NSEC[count=998562 time=40(sec)] RRSIG[new=1002849 reused=0 time=470(sec) avg=2133(sig/sec)] TOTAL[time=604(sec)]

Plain NSEC3
[STATS] se RR[count=2322389 time=56(sec)] NSEC3[count=998603 time=60(sec)] RRSIG[new=1002891 reused=0 time=478(sec) avg=2098(sig/sec)] TOTAL[time=637(sec)]

NSEC3 Opt-Out
[STATS] se RR[count=2322389 time=56(sec)] NSEC3[count=4265 time=12(sec)] RRSIG[new=8553 reused=0 time=4(sec) avg=2138(sig/sec)] TOTAL[time=95(sec)]

Comments are closed.