From president at ukraine.su Fri Jul 30 13:14:51 2010 From: president at ukraine.su (Max Tulyev) Date: Fri, 30 Jul 2010 14:14:51 +0300 Subject: [dns-wg] DNSSEC and DNS slowdown Message-ID: <4C52B42B.6080703@ukraine.su> Hello! I have a strange problem. When I enable DNSSEC in my resolver (bind 9) - it slows down in several times. What do I do wrong? Or may be it is a feature? -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253 at FIDO) From dave at knig.ht Fri Jul 30 15:30:54 2010 From: dave at knig.ht (Dave Knight) Date: Fri, 30 Jul 2010 09:30:54 -0400 Subject: [dns-wg] DNSSEC and DNS slowdown In-Reply-To: <4C52B42B.6080703@ukraine.su> References: <4C52B42B.6080703@ukraine.su> Message-ID: <574958EC-9E22-4430-A911-33DA7286D72A@knig.ht> Hi Max, On 2010-07-30, at 7:14 AM, Max Tulyev wrote: > Hello! > > I have a strange problem. When I enable DNSSEC in my resolver (bind 9) - > it slows down in several times. > > What do I do wrong? Or may be it is a feature? Your question might be better asked over on , however... Switching on DNSSEC validation gives the resolver more work to do, that might slow it down a bit, but not so you'd notice if things are working properly. If you're using a DLV it will have even more work to do, which might slow it down a bit more. If the path between your resolver and the authority servers isn't able to properly pass larger responses you might be suffering from timeouts which would slow it down a lot. A tcpdump at the resolver would probably be informative. dave From dougb at dougbarton.us Fri Jul 30 20:07:12 2010 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 30 Jul 2010 11:07:12 -0700 Subject: [dns-wg] DNSSEC and DNS slowdown In-Reply-To: <4C52B42B.6080703@ukraine.su> References: <4C52B42B.6080703@ukraine.su> Message-ID: <4C5314D0.3090302@dougbarton.us> On 07/30/10 04:14, Max Tulyev wrote: > Hello! > > I have a strange problem. When I enable DNSSEC in my resolver (bind 9) - > it slows down in several times. What did you do _exactly_ to enable it? (Hint, if you simply twiddled knobs without configuring at least one trust anchor ...) hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso