[dns-operations] estimate DNSSEC signing power

Christian Petrasch petrasch at denic.de
Wed Sep 18 07:11:40 UTC 2019 

Hi Andreas, 

it depends on which environment you want to use around the signer. If you 
use HSM or SoftHSM for example this would limit your signing capacity more 
than the server.. 
If you sign without HSM the CPU is the limitation factor. 

We have sth. around 2,4 Mio signed records and signing speed tests with 
plain text key material for the actual KNOTdns signer f.e resulted that it 
needs 1,5 minutes with parallel signing with 8 cores of a  3,4 Ghz Intel 
CPU. 
With HSM, the HSM slows this down, because the signatures will be created 
on the HSM..

best regards

-- 
Christian Petrasch 
Product Owner 
Zone Creation & Zone Signing
IT-Services

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: petrasch at denic.de
http://www.denic.de

PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49  DE61 870E 8841 
549B E0AE 

Angaben nach § 25a Absatz 1 GenG: DENIC  eG (Sitz: Frankfurt am Main)
Vorstand: Martin Küchenthal, Andreas Musielak, Sebastian Röthler, Dr. Jörg 
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht 
Frankfurt am Main



Von:    "A. Schulze" <sca at andreasschulze.de>
An:     "DNS Operations List" <dns-operations at dns-oarc.net>
Datum:  17.09.2019 19:40
Betreff:        [dns-operations] estimate DNSSEC signing power
Gesendet von:   "dns-operations" <dns-operations-bounces at dns-oarc.net>



Hello,

we discuss to DNSSEC sign internal zones. General opponents bring up 
concerns about signing zones with update rates "up to 100 updates per 
second"

I like to ask for experience / opinions: Which resources would be required 
to sign such traffic?

Personally, I understand "up to 100/s" as "once a week we start 100 serves 
at the same time, sending some DNS updates and this will stress a signer"
But it may also be understand as "100 updates/second 7x24"

I'm aware of .org which I experience as "life signing every new zone". How 
many new zones/time happen there?

Thanks for your ideas!
Andreas

_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190918/c7180a97/attachment.html>

More information about the dns-operations mailing list