meeting summary: 15 June 2005
James M Galvin
galvin at elistx.com
Sun Jun 19 14:18:49 EDT 2005
DNSSEC Deployment Working Group
15 June 2005
Mike St. Johns
-- ICANN Luxembourg Meeting
If you plan to be in Luxembourg, even if your are not firmly committed
yet, please let Allison Mankin know (or send a note to the list). The
current plan is for the DNSSEC presentations to be on July 12 and 13.
-- DNSSEC Performance - Scott Rose
NIST has a project related to DNSSEC Performance. Scott Rose will
describe what NIST is doing and the tools they are creating. A
presentation of the material to be discussed can be found as a PDF
attachment to this message.
For those with Shinkuro, there is a new Shinkuro folder "DNSSEC
Performance". If you would like to be added to the membership
please let Jim Galvin know and he will add you.
Olafur Gudmundsson distributed a proposed set of metrics for
authoritative servers. Scott Rose noted the list could be integrated
with the work going on at NIST.
Scott pointed out that NIST prefers to develop tools to assist others in
benchmarking their environments. One of the problems with doing the
benchmarking directly is there is always some environment that is not
Some of the tools and materials they have or are working on include the
* A tool to anonymous zone files, so users can benchmark their
environments and then share the results.
* A query workload generator is in development.
* Sample zone files and workloads.
* Tools to measure.
Olaf Kolkman reported on a test lab that was created when NSD was
developed. A presentation from RIPE 42 has a schematic:
It creates a live, real-time query load to a server. It creates a
complete packet history so the queries and responses can be analyzed
The current plan is to use the test lab to see what happens when sign
all your zones.
Jaap Akkerhuis added that the numbers he reported previously come from
using the tools but simulating the signing.
Olaf noted that his target audience for reporting the performance of
DNSSEC are interested in the following measurements.
* disk space
* memory load
* network load
* number of customers that do not get responses
Steve Crocker characterized them generally as:
Olaf added "disk space", noting the DNS provisioners are interested in
what they will "feel". For example, they will also "feel" support calls
when "DNS fails". Their goal is for the number of answers not delivered
to be zero.
Steve made an important distinction between bandwidth and packet size.
Packets may expand by 2 or 3 times but that does not tell you how much
more bandwidth you need, which does not expand at the same rate (usually
less). People see these large packets and assume they have a serious
problem. Olaf acknowledged that he will be looking at this issue as his
Allison Mankin emphasized a need to ensure consistency about metrics.
She suggested we ask people to be consistent and proposed we try to get
people with performance labs or metrics together at the next IETF. We
could use Bill Manning's room and use the time to compare metrics, show
how their related, and establish appropriate terminology.
Steve agreed, adding that we need a clear statement of what the
measurements are. Allison suggested the goal of performance measurement
in DNSSEC is to show that it does not have this deep degrading
performance that seems to be the perception.
Steve asked for a run down of the different performance activities we
* Scott Rose - tools
* Olaf Kolkman - tools and measurement
* Olafur Gudmundsson - metrics and reports
-- .GOV Update
Scott Rose reported on his efforts to get .GOV signed. Overall folks in
most US Government agencies have been receptive but there is the usual
government bureaucracy to work through. There are some concerns about
managing secure entry points and about whether or not DNSSEC is ready.
Next steps include more meetings with policy people and approaching the
Federal CIO Council to get them up-to-speed.
More information about the Dnssec-deployment