[dns-operations] nsec vs. nsec3

Roy Arends roy at dnss.ec
Wed Oct 15 21:25:38 UTC 2008 

On Oct 15, 2008, at 8:52 PM, Edward Lewis wrote:

> I wanted to run these results pass the group to see if anyone  
> experienced the same.

The results do not surprise me. I've seen similar results with the  
signers from the NSEC3 testbed. The enormous differences in size and  
time are due to 'Opt-Out', which you specified using the '-A' flag. It  
would be significantly slower (and the file larger) without 'opt-out'.  
Also the number of iterations influences the speed (not its size). The  
ZSK size is also a factor in speed and size.

> Using the BIND 9.6.0-alpha that came out Monday, running on a laptop  
> (for those who care about speed).
>
> Starting with a 1 million delegation zone (n000000.tld to  
> n999999.tld), consisting of about 2.1 million NS records, 2.1  
> million glue A records, and 1000 glue AAAA records, plus a handful  
> more records at the apex.  Each has one KSK of RSASHA1 2048 and ZSK  
> of RSASHA1 1024.
>
> dnssec-signzone -g -o tld -f nsecsignedzone.tld -t -v 1 -k Ktld. 
> +005+15178. nseckeyedzone.tld Ktld.+005+48162.
>
> Signatures generated:                  1000006
> Runtime in seconds:                   6459.722
> Signatures per second:                 154.806
>
> dnssec-signzone -g -o tld -f nsec3signedzone.tld -t -v 1 -k Ktld. 
> +007+25044. -A -H 3 -3 cafebabe nsec3keyedzone.tld Ktld.+007+55238.
>
> Signatures generated:                        6
> Runtime in seconds:                     94.430
> Signatures per second:                   0.063

The signatures per second should in theory be the same. Clearly it is  
calculated by simply taking the number of signatures divided by the  
runtime in seconds.

> # millionzone.tld is the 1m delegations, nseckeyed is with alg 5,  
> nsec3key is with alg 7, the *signed* are the results
>
> wc -l millionzone.tld
> 4201034 millionzone.tld
>
>
> ls -l
>
> -rw-r--r--  1 edlewis  edlewis  153363337 Oct 14 18:31 millionzone.tld
>
> -rw-r--r--  1 edlewis  edlewis  153363922 Oct 14 18:32  
> nseckeyedzone.tld
> -rw-r--r--  1 edlewis  edlewis  485257869 Oct 15 14:25  
> nsecsignedzone.tld
>
> -rw-r--r--  1 edlewis  edlewis  153363918 Oct 15 12:14  
> nsec3keyedzone.tld
> -rw-r--r--  1 edlewis  edlewis  162257945 Oct 15 14:30  
> nsec3signedzone.tld



Regards,

Roy

More information about the dns-operations mailing list