[dns-operations] Some DNSSEC trivia

Florian Weimer fweimer at bfk.de
Wed Jan 2 17:51:56 UTC 2008

Just for fun, I took a .NET zone file (from November last year,
perhaps I should have taken a more current one) and tried to load it
into BIND 9.  Here are a few numbers:

  Without DNSSEC:
    File size: 817 MB
    BIND 9 core size: 2338m
    Zone load time: 4 minutes

  With DNSSEC (NSEC-based):
    File size: 6190m
    BIND 9 core size: 6782m 
    Zone load time: 20 minutes
    Zone signing time: 108 minutes wall time, 813 minutes CPU time

This is with BIND 9.3.4 (from Debian 4.0/etch), running on an Intel
amd64 machine with 8 CPU cores and 64 GB of RAM.

The numbers aren't as extreme as I thought.  I had expected something
closer to 20 GB of core size.  I think I'll try .COM next; usually,
it's roughly by a factor of 7 larger than .NET.  It might just be
possible to serve a DNSSEC-enabled .COM zone using cheap PC hardware. 8-)

Is there a publicly available code base which supports NSEC3?  I would
like to compare the numbers.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the dns-operations mailing list