[dns-operations] Some DNSSEC trivia

Edward Lewis Ed.Lewis at neustar.biz
Mon Jan 7 15:49:54 UTC 2008 

At 16:20 +0100 1/7/08, Florian Weimer wrote:

>There is no reason why dnssec-signzone must have poor locality, so
>this is a software issue and not a principal obstacle.

The problem was (in the stone ages) sorting the names into order 
assuming that the zonefile's lines were in random order.  I got 
around that by chopping the alphabet into 8 categories and stuffing 
it into files.  When the zone was in, I then sorted each file and 
then merged them all.

If it weren't for having to have a canonical ordering for the 
non-existence proofs, signing a zone would only need to make sure the 
RR sets were compiled.  And usually any self-respecting database to 
DNS generator would do that.

>Due to better Name Error caching, DNSSEC might actually be a win,
>bandwidth-wise.  The middlebox issue is nasty, though.  From my point
>of view, the most pressing issue is who is responsible if DNSSEC
>breaks stuff.  If I turn on DNSSEC and this impacts customers[*]
>because they publish bad data, is this my fault or theirs?  I
>understand that there is no easy answer at this stage.
>
>[*] Not in the ISP sense.  Business transactions failing due to
>   DNSSEC-induced DNS issues are my concern.

"might" is the important word in the first line.  It's a conjecture, 
"might" is a reflection of the risk involved.

As far as bandwidth, given a Duane Wessel's sermon at a NANOG a few 
years back, it's been held that only about 2% of the DNS traffic at 
the roots is legitimate protocol work anyway.

For the ISP, there's a bon mot (meaning something I can't find a 
reference for)  that says "If a customer calls the help desk, the 
profit on the customer's account is blown for a year.  If the call is 
escalated, the profit is gone forever."  Until DNSSEC offers to raise 
profit (raising revenue and/or lowering cost) by more than any outage 
it may cause, it'll be stalled.

Note that profit doesn't only mean money.  I'm using profit in the 
sense as having a net positive benefit.  I hope there's a dictionary 
that'll back me up on that.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Think glocally.  Act confused.

More information about the dns-operations mailing list