[dns-operations] Data about load increase on *resolvers* when enabling DNSSEC validation?

Livingood, Jason Jason_Livingood at cable.comcast.com
Wed Sep 12 18:42:41 UTC 2012


May not be precisely what you are looking for but check out http://bit.ly/RJ7WmS

I would say that CPU utilization will not decrease, but that's pretty obvious. ;-) So there is a difference. We (at Comcast) knew IPv6 and DNSSEC were coming around the same time so we did that after a planned upgrade/replacement of servers and network elements. I'd need to do some investigation into our production data if this was interesting for others to know.

- Jason


On 9/9/12 12:54 PM, "Stephane Bortzmeyer" <bortzmeyer at nic.fr<mailto:bortzmeyer at nic.fr>> wrote:

There are many published papers about the load created by DNSSEC on
authoritative name servers. And a lot of practical experience as well,
some of it publically documented.

For the validating *resolvers*, I find on the Web a few tests in a lab
environment (setting up BIND or Unbound with and without validation,
and launching many DNS requests at them and measuring the differences)
but I do not find data about *actual* deployments, for instance an ISP
publishing the results of enabling validation ("We observed no
difference" or "We had to triple the number of boxes used as resolvers
because of the increased CPU load"). Any pointer?


_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120912/55acb52f/attachment.html>


More information about the dns-operations mailing list