[dns-operations] estimate DNSSEC signing power

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 17 17:49:49 UTC 2019

> On Sep 17, 2019, at 1:23 PM, A. Schulze <sca at andreasschulze.de> wrote:
> We discuss to DNSSEC sign internal zones. General opponents bring up concerns about signing zones with update rates "up to 100 updates per second"
> I like to ask for experience / opinions: Which resources would be required to sign such traffic?

With dynamic updates, zone signing can be incremental.  As with BIND's:

        auto-dnssec maintain;
        inline-signing yes;

Both RSA (slower) and ECDSA (faster) can handle O(1000) signatures per second.
Adding a signed node requires signing its RRsets (typically just A / AAAA) and
updating the NSEC chain, adding two new signed RRs for the (prev, node) and
(node, next) [ dropping (prev, node) from the dataset ].

A single CPU on my low-power SuperMicro server does (assembly optimized
P256) ~38k signatures/sec.  It has 4 cores 8 threads, and could do more
in parallel:

  $ openssl speed ecdsa
  Doing 256 bits sign ecdsa's for 10s: 382978 256 bits ECDSA signs in 10.01s 
  Doing 256 bits verify ecdsa's for 10s: 125160 256 bits ECDSA verify in 10.02s

That said, highly dynamic zones might instead consider "on-the-fly" signing
with ECDSA, in which case there's no additional cost at update time, all
the signing happens when serving authoritative answers to queries.  For
very high query rates a few extra machines may be needed to do the signing.
For this, only the ZSK needs to be "online" (on primary and secondary servers).
The KSKs can be off-line if desired, with the apex DNSKEY RRset re-signed
periodically by the active KSKs out-of-band and added to the zone.


More information about the dns-operations mailing list