[dns-operations] nsec vs. nsec3
Edward Lewis
Ed.Lewis at neustar.biz
Wed Oct 15 18:52:39 UTC 2008
I wanted to run these results pass the group to see if anyone
experienced the same. Using the BIND 9.6.0-alpha that came out
Monday, running on a laptop (for those who care about speed).
Starting with a 1 million delegation zone (n000000.tld to
n999999.tld), consisting of about 2.1 million NS records, 2.1 million
glue A records, and 1000 glue AAAA records, plus a handful more
records at the apex. Each has one KSK of RSASHA1 2048 and ZSK of
RSASHA1 1024.
dnssec-signzone -g -o tld -f nsecsignedzone.tld -t -v 1 -k
Ktld.+005+15178. nseckeyedzone.tld Ktld.+005+48162.
Signatures generated: 1000006
Runtime in seconds: 6459.722
Signatures per second: 154.806
dnssec-signzone -g -o tld -f nsec3signedzone.tld -t -v 1 -k
Ktld.+007+25044. -A -H 3 -3 cafebabe nsec3keyedzone.tld
Ktld.+007+55238.
Signatures generated: 6
Runtime in seconds: 94.430
Signatures per second: 0.063
# millionzone.tld is the 1m delegations, nseckeyed is with alg 5,
nsec3key is with alg 7, the *signed* are the results
wc -l millionzone.tld
4201034 millionzone.tld
ls -l
-rw-r--r-- 1 edlewis edlewis 153363337 Oct 14 18:31 millionzone.tld
-rw-r--r-- 1 edlewis edlewis 153363922 Oct 14 18:32 nseckeyedzone.tld
-rw-r--r-- 1 edlewis edlewis 485257869 Oct 15 14:25 nsecsignedzone.tld
-rw-r--r-- 1 edlewis edlewis 153363918 Oct 15 12:14 nsec3keyedzone.tld
-rw-r--r-- 1 edlewis edlewis 162257945 Oct 15 14:30 nsec3signedzone.tld
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Never confuse activity with progress. Activity pays more.
More information about the dns-operations
mailing list