[dns-operations] .ORG still using SHA-1 DNSKEYs

Petr Špaček petr.spacek at nic.cz
Fri Feb 7 10:42:14 UTC 2020


On 07. 02. 20 10:51, James Stevens wrote:
>> - You would be surprised how slow UDP packet processing in kernel can be ;-)
> 
> Often UDP slowness is due to the fact that each packet requires a context-switch from kernel to user-space, and back for the reply.

To be less vague: Knot DNS spends about 40 % of time waiting for UDP handling in kernel.

> 
> So the bottleneck on a DNS server is generally how fast the CPU can context switch, and this often had a hardwired limit. In that you can top out the packet throughput with the CPU still showing %idle.
> 
> I believe there is (or has been) a dev going on in the kernel to fix this.
> 
> I might be behind the curve, I've not looked into it for a bit.
> 
>> Algorithm 8 or 13 both seem like plausible targets, but opinions from the community would be very welcome.
> 
> I recently had to help a client make this exact same decision.
> 
> We felt they'd probably want to move to 13 one day and one move is lower risk than two.
> 
> It benefits from smaller UDP packets, big packets can become a problem (esp in v6), so we went for 13.
> 
> Changing algorithm is not fun.

Maybe you do not use the right software :-)

With right automation it is just matter of changing alg. specification + DS change at parent.

See
https://www.knot-dns.cz/docs/2.9/singlehtml/#automatic-ksk-and-zsk-rollovers-example
(It works equally well for alg rollovers.)

Petr Špaček  @  CZ.NIC


More information about the dns-operations mailing list