-
Matthijs Mekking authored
The first attempt to add DNSSEC sign statistics was naive: for each zone we allocated 64K counters, twice. In reality each zone has at most four keys, so the new approach only has room for four keys per zone. If after a rollover more keys have signed the zone, existing keys are rotated out. The DNSSEC sign statistics has three counters per key, so twelve counters per zone. First counter is actually a key id, so it is clear what key contributed to the metrics. The second counter tracks the number of generated signatures, and the third tracks how many of those are refreshes. This means that in the zone structure we no longer need two separate references to DNSSEC sign metrics: both the resign and refresh stats are kept in a single dns_stats structure. Incrementing dnssecsignstats: Whenever a dnssecsignstat is incremented, we look up the key id to see if we already are counting metrics for this key. If so, we update the corresponding operation counter (resign or refresh). If the key is new, store the value in a new counter and increment corresponding counter. If all slots are full, we rotate the keys and overwrite the last slot with the new key. Dumping dnssecsignstats: Dumping dnssecsignstats is no longer a simple wrapper around isc_stats_dump, but uses the same principle. The difference is that rather than dumping the index (key tag) and counter, we have to look up the corresponding counter.
705810d5
To find the state of this project's repository at the time of any of these versions, check out the tags.