[dns-operations] Some DNSSEC trivia
Mark_Andrews at isc.org
Thu Jan 3 00:13:58 UTC 2008
> At 18:51 +0100 1/2/08, Florian Weimer wrote:
> >it's roughly by a factor of 7 larger than .NET. It might just be
> >possible to serve a DNSSEC-enabled .COM zone using cheap PC hardware. 8-)
> I don't think it's been doubted that a DNSSEC-signed .COM could be
> served from a PC. The beauty of the DNSSEC design is that it is easy
> on the server. Behind the scenes a lot goes on to achieve that.
> (Perhaps too much goes on.)
> Bandwidth and other matters are issues. The problem has been in
> managing the operational relationships involved in DNSSEC, dealing
> with disruptive middle-ware, and coping with the constant maintenance
> not needed today in DNS.
Just about all of which can be completely automated. The only
thing that can't be is establishing the initial secure delegation.
Key roll overs can be automated. Re-signing has been automated.
Updating of DS records in the parent zone can be automated.
All it requires is the will to let it happen. We have the
building blocks to do it today.
> As far as signing, here's some historical trivia regarding DNSSEC and
> commodity hardware. In 1997 I wrote what was (arguably) the first
> full-fledged DNSSEC zone signer. One of my test cases was .COM.
> .COM was only about 750K records (maybe 1% of what it is now), still
> by far the largest zone around. My hardware was a lowly 100MHz PC (I
> forget memory and disk, but commensurate with the times for a
> rinky-dink machine). Signing took 40 hours - that was a complete
> signing, not a recycled signing. But it all worked (thanks to some
> fancy memory management techniques) albeit to the specification of
> RFC 2065.
> Edward Lewis +1-571-434-5468
> Think glocally. Act confused.
> dns-operations mailing list
> dns-operations at lists.oarci.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations