[dns-operations] Some DNSSEC trivia
Florian Weimer
fweimer at bfk.de
Wed Jan 2 17:51:56 UTC 2008
Just for fun, I took a .NET zone file (from November last year,
perhaps I should have taken a more current one) and tried to load it
into BIND 9. Here are a few numbers:
Without DNSSEC:
File size: 817 MB
BIND 9 core size: 2338m
Zone load time: 4 minutes
With DNSSEC (NSEC-based):
File size: 6190m
BIND 9 core size: 6782m
Zone load time: 20 minutes
Zone signing time: 108 minutes wall time, 813 minutes CPU time
This is with BIND 9.3.4 (from Debian 4.0/etch), running on an Intel
amd64 machine with 8 CPU cores and 64 GB of RAM.
The numbers aren't as extreme as I thought. I had expected something
closer to 20 GB of core size. I think I'll try .COM next; usually,
it's roughly by a factor of 7 larger than .NET. It might just be
possible to serve a DNSSEC-enabled .COM zone using cheap PC hardware. 8-)
Is there a publicly available code base which supports NSEC3? I would
like to compare the numbers.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the dns-operations
mailing list