On 05/10/2012 03:10 PM, Rick van Rein wrote:> Hello,
>
> Specifically, when combined with OpenDNSSEC which regularly
> reloads its N zones into the daemon, and if each reload takes
> N rebuilds, then the order of complexity is N^2. And all
> that could be overcome by being able to rebuild, import and
> delete a single zone.
>
> I've tried to use zonec for that purpose, but discovered that
> this drops all other zones from the database. It can be read
> into the man page though, in retrospect ;-)
I've had the same experience. I've been told that this will be improved
in NSD4.
Not only was a lot of time wasted reloading NSD, it also caused all
kinds of problems such hangs, crashes and missed updates. Mind you, most
of this experinece is based on the ancient NSD2, NSD3 might be better.
In the end I wrote a wrapper script to handle nameserver restarts (both
NSD and Unbound). If a zones is reloaded any further commands will be
queued until the rebuild is done. Than another 'rebuild' is issued to
import any changes that were made inbetween.
I've attached the script. The comments are in Dutch but I know you can
read that.
The first reload command gets executed directly.
The second command creates a waiting queue.
The third moves into the queue.
Then the Unbound-caches are flushed.
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
-------------- next part --------------
#!/usr/bin/env bash
# $Id: nameserver-reload 53506 2012-04-11 11:31:27Z cgielen $
# $URL:
https://its-unix-vc.uvt.nl/its-unix/group/opendnssec/usr/local/sbin/nameserver-reload
$
#
# Herlaad de nameservers
#
LOCK1=/var/lock/nameserver-reload1
LOCK2=/var/lock/nameserver-reload2
list_zones()
{
sed -n 's/.*one name="\(.*\)".*/\1/gp'
/etc/opendnssec/zonelist.xml
}
reload()
{
# voorkom dat de nameservers honderd keer parallel worden opgestart
if [ -e $LOCK2 ]; then
# Iemand anders wacht al om nsd te herladen,
# wij hoeven het niet ook nog een keer te doen.
while [ -e $LOCK2 ]; do
sleep 1;
done
else
# NSD moet nog een keer herladen
if [ ! -e $LOCK1 ]; then
# direct aan de beurt, maak een nieuwe wachtrij
echo $$ > $LOCK1
LOCK=$LOCK1
else
# LOCK1 bestaat, ga in de rij staan en wacht op je beurt
echo $$ > $LOCK2
while [ -e $LOCK1 ]; do
sleep 1;
done
LOCK=$LOCK2
sleep $(( $RANDOM % 5 ))
fi
trap 'rm -rf -- "$LOCK"' INT TERM EXIT
sudo -u nsd /usr/sbin/nsdc rebuild && sudo -u nsd /usr/sbin/nsdc
reload
rm $LOCK
fi
if [ `hostname` == 'ramanujan' ];
then
if [ -z "$1" ];
then
# geen zone opgegeven -> alle zones herladen
for zone in `list_zones` ; do
sudo -u root /usr/sbin/nsd-notify -z $zone 137.56.247.39 # haar
sudo -u root /usr/sbin/nsd-notify -z $zone 137.56.247.40 # pade
done
sudo -u root /usr/sbin/unbound-control -c /etc/unbound/tsingou.conf -s
137.56.247.184 reload
sudo -u root /usr/sbin/unbound-control -c /etc/unbound/ulam.conf -s
137.56.247.185 reload
# sudo -u root /usr/sbin/unbound-control -c /etc/unbound/primeape.conf -s
137.56.165.66 reload
else
sudo -u root /usr/sbin/nsd-notify -z $1 137.56.247.39 # haar
sudo -u root /usr/sbin/nsd-notify -z $1 137.56.247.40 # + pade
sudo -u root /usr/sbin/unbound-control -c /etc/unbound/tsingou.conf -s
137.56.247.184 flush_zone $1
sudo -u root /usr/sbin/unbound-control -c /etc/unbound/ulam.conf -s
137.56.247.185 flush_zone $1
#sudo -u root /usr/sbin/unbound-control -c /etc/unbound/primeape.conf -s
137.56.165.66 flush_zone $1
fi
else
# metagross
if [ -z "$1" ];
then
sudo -u root /usr/sbin/unbound-control reload
else
sudo -u root /usr/sbin/unbound-control flush_zone $1
fi
fi
}
reload $* &
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120511/abf801dc/attachment.bin>