[dns-operations] .ORG still using SHA-1 DNSKEYs

James Stevens dns at jrcs.net
Fri Feb 7 09:51:37 UTC 2020

> - You would be surprised how slow UDP packet processing in kernel can be ;-)

Often UDP slowness is due to the fact that each packet requires a 
context-switch from kernel to user-space, and back for the reply.

So the bottleneck on a DNS server is generally how fast the CPU can 
context switch, and this often had a hardwired limit. In that you can 
top out the packet throughput with the CPU still showing %idle.

I believe there is (or has been) a dev going on in the kernel to fix this.

I might be behind the curve, I've not looked into it for a bit.

> Algorithm 8 or 13 both seem like plausible targets, but opinions from the community would be very welcome.

I recently had to help a client make this exact same decision.

We felt they'd probably want to move to 13 one day and one move is lower 
risk than two.

It benefits from smaller UDP packets, big packets can become a problem 
(esp in v6), so we went for 13.

Changing algorithm is not fun.

More information about the dns-operations mailing list