[dns-operations] Some DNSSEC trivia

Florian Weimer fweimer at bfk.de
Mon Jan 7 15:20:05 UTC 2008

* Edward Lewis:

> At 18:51 +0100 1/2/08, Florian Weimer wrote:
>>it's roughly by a factor of 7 larger than .NET.  It might just be
>>possible to serve a DNSSEC-enabled .COM zone using cheap PC hardware. 8-)
> I don't think it's been doubted that a DNSSEC-signed .COM could be 
> served from a PC.

I'm still a bit surprised.  And I think there was a time when this was
not possible.  De-facto PCs (architecture-wise and price-wise) with
64 GB RAM have not been being sold for that long.

For .COM, the numbers are:

  Without DNSSEC:
    File size: 5.4 GB
    BIND 9 core size: 15.3G
    Zone load time: 30 minutes

  With DNSSEC (NSEC-based):
    File size: 43G
    BIND 9 core size: 45.3G 
    Zone load time: 141 minutes
    Zone signing time: dnssec-signzone exceeded 64G process size,
                       poor access locality, no measurement possible

dnssec-signzone (from BIND 9.3) started to thrash really heavily when
all the work was done and dns_db_closeversion was called to clean up,
it seemed.  Before that, locality was good enough to make process even
though the machine was about 15G of RAM short and was swapping.  If
this is fixed, wall-clock time for creating the signatures is probable
in excess of 800 minutes, but hard to estimate given this issue.
There is no reason why dnssec-signzone must have poor locality, so
this is a software issue and not a principal obstacle.

> Bandwidth and other matters are issues.  The problem has been in 
> managing the operational relationships involved in DNSSEC, dealing 
> with disruptive middle-ware, and coping with the constant maintenance 
> not needed today in DNS.

Due to better Name Error caching, DNSSEC might actually be a win,
bandwidth-wise.  The middlebox issue is nasty, though.  From my point
of view, the most pressing issue is who is responsible if DNSSEC
breaks stuff.  If I turn on DNSSEC and this impacts customers[*]
because they publish bad data, is this my fault or theirs?  I
understand that there is no easy answer at this stage.

[*] Not in the ISP sense.  Business transactions failing due to
  DNSSEC-induced DNS issues are my concern.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the dns-operations mailing list