[dns-operations] .ORG still using SHA-1 DNSKEYs
Petr Špaček
petr.spacek at nic.cz
Fri Feb 7 10:42:14 UTC 2020
On 07. 02. 20 10:51, James Stevens wrote:
>> - You would be surprised how slow UDP packet processing in kernel can be ;-)
>
> Often UDP slowness is due to the fact that each packet requires a context-switch from kernel to user-space, and back for the reply.
To be less vague: Knot DNS spends about 40 % of time waiting for UDP handling in kernel.
>
> So the bottleneck on a DNS server is generally how fast the CPU can context switch, and this often had a hardwired limit. In that you can top out the packet throughput with the CPU still showing %idle.
>
> I believe there is (or has been) a dev going on in the kernel to fix this.
>
> I might be behind the curve, I've not looked into it for a bit.
>
>> Algorithm 8 or 13 both seem like plausible targets, but opinions from the community would be very welcome.
>
> I recently had to help a client make this exact same decision.
>
> We felt they'd probably want to move to 13 one day and one move is lower risk than two.
>
> It benefits from smaller UDP packets, big packets can become a problem (esp in v6), so we went for 13.
>
> Changing algorithm is not fun.
Maybe you do not use the right software :-)
With right automation it is just matter of changing alg. specification + DS change at parent.
See
https://www.knot-dns.cz/docs/2.9/singlehtml/#automatic-ksk-and-zsk-rollovers-example
(It works equally well for alg rollovers.)
Petr Špaček @ CZ.NIC
More information about the dns-operations
mailing list