[dns-operations] Some DNSSEC trivia
fweimer at bfk.de
Mon Jan 7 15:20:05 UTC 2008
* Edward Lewis:
> At 18:51 +0100 1/2/08, Florian Weimer wrote:
>>it's roughly by a factor of 7 larger than .NET. It might just be
>>possible to serve a DNSSEC-enabled .COM zone using cheap PC hardware. 8-)
> I don't think it's been doubted that a DNSSEC-signed .COM could be
> served from a PC.
I'm still a bit surprised. And I think there was a time when this was
not possible. De-facto PCs (architecture-wise and price-wise) with
64 GB RAM have not been being sold for that long.
For .COM, the numbers are:
File size: 5.4 GB
BIND 9 core size: 15.3G
Zone load time: 30 minutes
With DNSSEC (NSEC-based):
File size: 43G
BIND 9 core size: 45.3G
Zone load time: 141 minutes
Zone signing time: dnssec-signzone exceeded 64G process size,
poor access locality, no measurement possible
dnssec-signzone (from BIND 9.3) started to thrash really heavily when
all the work was done and dns_db_closeversion was called to clean up,
it seemed. Before that, locality was good enough to make process even
though the machine was about 15G of RAM short and was swapping. If
this is fixed, wall-clock time for creating the signatures is probable
in excess of 800 minutes, but hard to estimate given this issue.
There is no reason why dnssec-signzone must have poor locality, so
this is a software issue and not a principal obstacle.
> Bandwidth and other matters are issues. The problem has been in
> managing the operational relationships involved in DNSSEC, dealing
> with disruptive middle-ware, and coping with the constant maintenance
> not needed today in DNS.
Due to better Name Error caching, DNSSEC might actually be a win,
bandwidth-wise. The middlebox issue is nasty, though. From my point
of view, the most pressing issue is who is responsible if DNSSEC
breaks stuff. If I turn on DNSSEC and this impacts customers[*]
because they publish bad data, is this my fault or theirs? I
understand that there is no easy answer at this stage.
[*] Not in the ISP sense. Business transactions failing due to
DNSSEC-induced DNS issues are my concern.
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the dns-operations