[dns-operations] Some DNSSEC trivia
Ed.Lewis at neustar.biz
Wed Jan 2 18:31:24 UTC 2008
At 18:51 +0100 1/2/08, Florian Weimer wrote:
>it's roughly by a factor of 7 larger than .NET. It might just be
>possible to serve a DNSSEC-enabled .COM zone using cheap PC hardware. 8-)
I don't think it's been doubted that a DNSSEC-signed .COM could be
served from a PC. The beauty of the DNSSEC design is that it is easy
on the server. Behind the scenes a lot goes on to achieve that.
(Perhaps too much goes on.)
Bandwidth and other matters are issues. The problem has been in
managing the operational relationships involved in DNSSEC, dealing
with disruptive middle-ware, and coping with the constant maintenance
not needed today in DNS.
As far as signing, here's some historical trivia regarding DNSSEC and
commodity hardware. In 1997 I wrote what was (arguably) the first
full-fledged DNSSEC zone signer. One of my test cases was .COM.
.COM was only about 750K records (maybe 1% of what it is now), still
by far the largest zone around. My hardware was a lowly 100MHz PC (I
forget memory and disk, but commensurate with the times for a
rinky-dink machine). Signing took 40 hours - that was a complete
signing, not a recycled signing. But it all worked (thanks to some
fancy memory management techniques) albeit to the specification of
Edward Lewis +1-571-434-5468
Think glocally. Act confused.
More information about the dns-operations