<font size=2 face="sans-serif">Hi Andreas, </font>
<br>
<br><font size=2 face="sans-serif">it depends on which environment you
want to use around the signer. If you use HSM or SoftHSM for example this
would limit your signing capacity more than the server.. </font>
<br><font size=2 face="sans-serif">If you sign without HSM the CPU is the
limitation factor. </font>
<br>
<br><font size=2 face="sans-serif">We have sth. around 2,4 Mio signed records
and signing speed tests with plain text key material for the actual KNOTdns
signer f.e resulted that it needs 1,5 minutes with parallel signing with
8 cores of a 3,4 Ghz Intel CPU. </font>
<br><font size=2 face="sans-serif">With HSM, the HSM slows this down, because
the signatures will be created on the HSM..</font>
<br>
<br><font size=2 face="sans-serif">best regards</font>
<br>
<br><font size=2 face="sans-serif">-- <br>
Christian Petrasch <br>
Product Owner <br>
Zone Creation & Zone Signing<br>
IT-Services<br>
<br>
DENIC eG<br>
Kaiserstraße 75-77<br>
60329 Frankfurt am Main<br>
GERMANY<br>
<br>
E-Mail: petrasch@denic.de<br>
</font><a href=http://www.denic.de/><font size=2 face="sans-serif">http://www.denic.de</font></a><font size=2 face="sans-serif"><br>
<br>
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E
8841 549B E0AE <br>
<br>
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)<br>
Vorstand: Martin Küchenthal, Andreas Musielak, Sebastian Röthler, Dr. Jörg
Schweiger<br>
Vorsitzender des Aufsichtsrats: Thomas Keller<br>
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt
am Main</font>
<br>
<br>
<br>
<br><font size=2 color=#5f5f5f face="sans-serif">Von:
</font><font size=2 face="sans-serif">"A. Schulze"
<sca@andreasschulze.de></font>
<br><font size=2 color=#5f5f5f face="sans-serif">An:
</font><font size=2 face="sans-serif">"DNS Operations
List" <dns-operations@dns-oarc.net></font>
<br><font size=2 color=#5f5f5f face="sans-serif">Datum:
</font><font size=2 face="sans-serif">17.09.2019 19:40</font>
<br><font size=2 color=#5f5f5f face="sans-serif">Betreff:
</font><font size=2 face="sans-serif">[dns-operations]
estimate DNSSEC signing power</font>
<br><font size=2 color=#5f5f5f face="sans-serif">Gesendet von:
</font><font size=2 face="sans-serif">"dns-operations"
<dns-operations-bounces@dns-oarc.net></font>
<br>
<hr noshade>
<br>
<br>
<br><font size=2 face="sans-serif">Hello,<br>
<br>
we discuss to DNSSEC sign internal zones. General opponents bring up concerns
about signing zones with update rates "up to 100 updates per second"<br>
<br>
I like to ask for experience / opinions: Which resources would be required
to sign such traffic?<br>
<br>
Personally, I understand "up to 100/s" as "once a week we
start 100 serves at the same time, sending some DNS updates and this will
stress a signer"<br>
But it may also be understand as "100 updates/second 7x24"<br>
<br>
I'm aware of .org which I experience as "life signing every new zone".
How many new zones/time happen there?<br>
<br>
Thanks for your ideas!<br>
Andreas<br>
<br>
_______________________________________________<br>
dns-operations mailing list<br>
dns-operations@lists.dns-oarc.net<br>
</font><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations"><font size=2 face="sans-serif">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</font></a><font size=2 face="sans-serif"><br>
</font>
<br>
<br>