Thursday 0:00 UTC AXFR-DoS due to presigned zones

[klaus-nicat]

Hello! I have a customer with almost 1 mio presigned zones, and we are secondary for that customer. Both, customer primary and our secondary are PowerDNS. The zones are signed on the primary PowerDNS. Every Thursday 0:00 UTC, due to 'inception', the serial is increasing, resulting in 1mio NOTIFYs + 1mio AXFRs. This causes high load on the secondary and its DB (postgresql backend), so that updates to other zones get heavily delayed. I wonder what means I have to avoid that peak load.
I could lower retrieval-threads but that also delays AXFR of normal updated zones.

Is there any option I could use on the primary to distribute/delay the NOTIFYs for zones whose serial is increased due to the DNSSEC inception, but immediately send NOTIFYs for zones that were really updated.

Or do you have any other ideas to avoid the Thursday morning AXFR-DoS?

And is there a size limit for the Refresh/AXFR queue? So what if 1 mio NOTIFYS are received but retrieval-threads=2, will the 1mio refresh checks, and then the corresponding 1mio AXFR task all be queued?

[klaus-nicat]

I have to correct myself: DNSSEC inception does NOT trigger NOTIFYs, as notified_serial does not store the "edited" serial, but the serial as stored in the records table. Hence, the master check will not NOTIFY increased serial due to default-soa-edit-signed. Hence, DNSSEC signature changes will only be detected during normal refresh-checks and queued for AXFR (with lower priority than NOTIFY triggered AXFRs). So, lowering retrieval-threads seems to be the correct option to lower load on the DB.

[Habbie]

Thank you for reporting back, I had the same in mind, but wanted to check before posting :-)