This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] What about the last mile, was: getting DNSSEC deployed
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Lutz Donnerhacke
lutz at iks-jena.de
Fri Feb 16 11:20:58 CET 2007
* Jim Reid wrote: > It would be good to get some real numbers here. Yep. > Dropping the NXDOMAINs by 70% seems very strange. If the same number of > queries are being made as before, what answers are they getting back > instead of NXDOMAIN? *g* The good answers are usually cached on customer side. Only the bad queries are resend after a short negative caching period. The validating resolver does not itself requery those questions but respond (from a cached and valid NSEC) NXDOMAIN. >> Crypto is cheap compared to networking. > > Please explain how you arrive at this conclusion. RRSIG validation does occur on every freshly received record. Then the result of the validation is cached. OTOH resolving a query recursively requires at least one packet exchange with a remote system. This takes time. I compare timing and conclude that time_validating = time_queryDNSSEC + time_validation + n*time_lookup and time_recursing = n*time_query must not be in a strict order for every n. Speaking for the locally hosted signed zones (~500) I observe a big win. The win will be much better if the root where signed (because the resolver knows which TLD does not exists from cache), so that stetting up a signed root for outself is a probable project in the near future.
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]