[dns-operations] Some DNSSEC trivia

[Edward Lewis]

At 18:51 +0100 1/2/08, Florian Weimer wrote:

>it's roughly by a factor of 7 larger than .NET.  It might just be
>possible to serve a DNSSEC-enabled .COM zone using cheap PC hardware. 8-)

I don't think it's been doubted that a DNSSEC-signed .COM could be 
served from a PC.  The beauty of the DNSSEC design is that it is easy 
on the server.  Behind the scenes a lot goes on to achieve that. 
(Perhaps too much goes on.)

Bandwidth and other matters are issues.  The problem has been in 
managing the operational relationships involved in DNSSEC, dealing 
with disruptive middle-ware, and coping with the constant maintenance 
not needed today in DNS.

As far as signing, here's some historical trivia regarding DNSSEC and 
commodity hardware.  In 1997 I wrote what was (arguably) the first 
full-fledged DNSSEC zone signer.  One of my test cases was .COM. 
.COM was only about 750K records (maybe 1% of what it is now), still 
by far the largest zone around.  My hardware was a lowly 100MHz PC (I 
forget memory and disk, but commensurate with the times for a 
rinky-dink machine).  Signing took 40 hours - that was a complete 
signing, not a recycled signing.  But it all worked (thanks to some 
fancy memory management techniques) albeit to the specification of 
RFC 2065.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Think glocally.  Act confused.