Grow and shrink dnssec-sign statistics on key rollover events
!2067 (merged) introduced dnssec-sign statistics (#513 (closed)) to the zone statistics. This introduced an operational issue because when using zone-statistics full;
the memory usage is going through the roof. It turns out that using the key id as index wasn't the greatest idea.
!3304 (merged) fixes this (#1179) by allocating just four key slots per zone. If a zone exceeds the number of keys for example through a key rollover, the keys will be rotated out on a FIFO basis.
This works for most cases, and fixes the immediate problem of high memory usage, but if you sign your zone with many, many keys, or are sign with a ZSK/KSK double algorithm strategy you may experience weird statistics.
A better strategy would to grow the number of key slots per zone on key rollover events: Grow during key rollover, shrink on a LRU basis.
In addition, if a zone is signed with two algorithms there is a very small chance that two keys will have the same key tag. The dnssec-sign statistics prevents operators identifying which key is which when there are common key ids across algorithms.
When dumping stats, rather than passing the key tag, pass kval
and show an appropriate value label to be constructed or something like this to be emitted.
{
"algorithm": value,
"tag": value,
"sign-count": value
"refresh-count": value
},