19 Bře
2026
19 Bře
'26
17:01
Hi Leo,
It's quite normal to use multiple signing-threads for TLD signing.
Typically, signing with CPU cores is more efficient than with an HSM.
Note that zone signing consists of several phases and not all of them can be parallelized.
You can benchmark your keystore using `keymgr <keystore_conf_id> keystore-bench
<number_of_threads>`.
Daniel
On 3/18/26 16:31, Leo Vandewoestijne via knot-dns-users wrote:
Hello,
In this other use-case, described in the thread "IXFR commit time scaling",
there was a reply refering to
https://www.knot-dns.cz/docs/3.5/singlehtml/#signing-threads and
https://www.knot-dns.cz/docs/3.5/singlehtml/#adjust-threads
Which made me wonder...
a] you can have an external networked HSM, which sounds promising to speed up signing a
lot...
b] nowadays you also have even 128 core processers, even mutiple CPU slots, which sounds
as a immense boost for co-proccesing...
c] you could combine those...
Clinical data would propably be hard, but hypothetical/esitimated;
what would be wise/pointless/smart/insane to increase signing of large zones?
I'd expect that RAM speed is a major factor also.
What would be an ideal setup today?
--