[dns-operations] DNSSEC deployment in Sweden

Kjetil Jensen lists at kjette.se
Mon Jan 2 14:07:46 UTC 2012

Sure, it is no big secret :)

On 2011-12-28 17:17, Stephan Lagerholm wrote:
> Hi Kjetil and congratulations to this extraordinary achievement and for making the Internet a much safer place.
> May I ask you to provide some additional information on your signing system in terms of performance and HW used? 

We are running two environments, we have one old system that we are in a
process of migrating all customers to this new environment and the old
system uses just two PowerDNS nodes in a virtual environment and have
similar CPU and memory specs stated below.

Old: We are running with PowerDNS online signing, which means that the
signature is created in real time when DNS queries is answered, not in
advance. Signatures all have a fixed life span of two weeks, from
Thursday before the question to the Thursday following.

New: In our new system we use PowerDNS as "hidden signing master" which
means that one time per "SOA-refresh" the delegated slaves do an AXFR,
which causes all zones to be (online) signed again. We keep SOA-refresh
comfortably lower than the signature lifetime - which powerdns always
keeps at least a week in the future. We have 3 nodes behind that IP that
are load balanced and answering AXFR requests. Every node has 2 cores
available (Intel(R) Xeon(R) CPU X5650 @ 2.67GHz). 3GB of memory. This is
of course an virtual environment running VMware vSphere 5.

> I envision that it takes quite some time to sign all those zones? 

Not really, I did a test on one of our nodes and was ending up with 43
zones per second, and SOA refresh is set to 12h then AXFR's is spread
over these 12 hours, and my test took 49 minutes for approximately 150k
domains. This test was done on one specific node and not all ones
together, and with only one thread so this solution can handle much more
and it does that in reality (based on numbers from UltraDNS).

> Are you using the same key for all zones? 

We are using the same key for all zones.

> What key sizes are you using? 

KSK is 2048bits and ZSK is 1024bits.

> How do you handle updates? How often do you resign? Etc?

The users update the DNS data through their control panel. Atomia DNS
then propagates the data to the PowerDNS database on our hidden signing
master and sends a NOTIFY to UltraDNS, which performs an AXFR that
PowerDNS online signs and distributes the fresh zone internally to all
anycast nodes.

All in all the change is visible on all anycast nodes within a minute
from when the user pressed the save button.
Kindest Regards

Kjetil Jensen
Binero AB
E-mail: kjetil.jensen at binero.se
Switchboard #: +46 771-24 08 00
Direct #: +46 8-525 090 55 Ext: #1007
Cell #: +46 76 83 80 300

Follow Binero on twitter http://twitter.com/binero

More information about the dns-operations mailing list