[dns-operations] Some DNSSEC trivia
Ed.Lewis at neustar.biz
Mon Jan 7 15:49:54 UTC 2008
At 16:20 +0100 1/7/08, Florian Weimer wrote:
>There is no reason why dnssec-signzone must have poor locality, so
>this is a software issue and not a principal obstacle.
The problem was (in the stone ages) sorting the names into order
assuming that the zonefile's lines were in random order. I got
around that by chopping the alphabet into 8 categories and stuffing
it into files. When the zone was in, I then sorted each file and
then merged them all.
If it weren't for having to have a canonical ordering for the
non-existence proofs, signing a zone would only need to make sure the
RR sets were compiled. And usually any self-respecting database to
DNS generator would do that.
>Due to better Name Error caching, DNSSEC might actually be a win,
>bandwidth-wise. The middlebox issue is nasty, though. From my point
>of view, the most pressing issue is who is responsible if DNSSEC
>breaks stuff. If I turn on DNSSEC and this impacts customers[*]
>because they publish bad data, is this my fault or theirs? I
>understand that there is no easy answer at this stage.
>[*] Not in the ISP sense. Business transactions failing due to
> DNSSEC-induced DNS issues are my concern.
"might" is the important word in the first line. It's a conjecture,
"might" is a reflection of the risk involved.
As far as bandwidth, given a Duane Wessel's sermon at a NANOG a few
years back, it's been held that only about 2% of the DNS traffic at
the roots is legitimate protocol work anyway.
For the ISP, there's a bon mot (meaning something I can't find a
reference for) that says "If a customer calls the help desk, the
profit on the customer's account is blown for a year. If the call is
escalated, the profit is gone forever." Until DNSSEC offers to raise
profit (raising revenue and/or lowering cost) by more than any outage
it may cause, it'll be stalled.
Note that profit doesn't only mean money. I'm using profit in the
sense as having a net positive benefit. I hope there's a dictionary
that'll back me up on that.
Edward Lewis +1-571-434-5468
Think glocally. Act confused.
More information about the dns-operations