[dns-wg] What about the last mile, was: getting DNSSEC deployed
Lutz Donnerhacke lutz at iks-jena.de
Fri Feb 16 11:20:58 CET 2007
* Jim Reid wrote: > It would be good to get some real numbers here. Yep. > Dropping the NXDOMAINs by 70% seems very strange. If the same number of > queries are being made as before, what answers are they getting back > instead of NXDOMAIN? *g* The good answers are usually cached on customer side. Only the bad queries are resend after a short negative caching period. The validating resolver does not itself requery those questions but respond (from a cached and valid NSEC) NXDOMAIN. >> Crypto is cheap compared to networking. > > Please explain how you arrive at this conclusion. RRSIG validation does occur on every freshly received record. Then the result of the validation is cached. OTOH resolving a query recursively requires at least one packet exchange with a remote system. This takes time. I compare timing and conclude that time_validating = time_queryDNSSEC + time_validation + n*time_lookup and time_recursing = n*time_query must not be in a strict order for every n. Speaking for the locally hosted signed zones (~500) I observe a big win. The win will be much better if the root where signed (because the resolver knows which TLD does not exists from cache), so that stetting up a signed root for outself is a probable project in the near future.
[ dns-wg Archives ]