meeting summary: 15 June 2005

James M Galvin galvin at elistx.com
Sun Jun 19 14:18:49 EDT 2005 

DNSSEC Deployment Working Group
15 June 2005


PRESENT:
    Steve Crocker
    Jim Galvin

    Steve Cheung
    Jaap Akkerhuis
    Allison Mankin
    Mark Kosters
    Mike St. Johns
    Olafur Gudmundsson
    Olaf Kolkman
    Peter Koch
    Scott Rose
    Suresh Krishnaswamy
    Suzanne Woolf
    Amy Friedlander


REGRETS:
    Ralph Droms


SUMMARY

 -- ICANN Luxembourg Meeting

If you plan to be in Luxembourg, even if your are not firmly committed
yet, please let Allison Mankin know (or send a note to the list).  The
current plan is for the DNSSEC presentations to be on July 12 and 13.


 -- DNSSEC Performance - Scott Rose

    NIST has a project related to DNSSEC Performance.  Scott Rose will
    describe what NIST is doing and the tools they are creating.  A
    presentation of the material to be discussed can be found as a PDF
    attachment to this message.

    For those with Shinkuro, there is a new Shinkuro folder "DNSSEC
    Performance".  If you would like to be added to the membership
    please let Jim Galvin know and he will add you.

Olafur Gudmundsson distributed a proposed set of metrics for
authoritative servers.  Scott Rose noted the list could be integrated
with the work going on at NIST.

Scott pointed out that NIST prefers to develop tools to assist others in
benchmarking their environments.  One of the problems with doing the
benchmarking directly is there is always some environment that is not
tested.

Some of the tools and materials they have or are working on include the
following.

* A tool to anonymous zone files, so users can benchmark their
  environments and then share the results.

* A query workload generator is in development.

* Sample zone files and workloads.

* Tools to measure.

Olaf Kolkman reported on a test lab that was created when NSD was
developed.  A presentation from RIPE 42 has a schematic:

 
http://www.ripe.net/ripe/meetings/ripe-42/presentations/ripe42-dns-distel/sld007.html

It creates a live, real-time query load to a server.  It creates a
complete packet history so the queries and responses can be analyzed
later.

The current plan is to use the test lab to see what happens when sign
all your zones.

Jaap Akkerhuis added that the numbers he reported previously come from
using the tools but simulating the signing.

Olaf noted that his target audience for reporting the performance of
DNSSEC are interested in the following measurements.

* disk space
* memory load
* network load
* number of customers that do not get responses

Steve Crocker characterized them generally as:

* memory
* computation
* bandwidth

Olaf added "disk space", noting the DNS provisioners are interested in
what they will "feel".  For example, they will also "feel" support calls
when "DNS fails".  Their goal is for the number of answers not delivered
to be zero.

Steve made an important distinction between bandwidth and packet size.
Packets may expand by 2 or 3 times but that does not tell you how much
more bandwidth you need, which does not expand at the same rate (usually
less).  People see these large packets and assume they have a serious
problem.  Olaf acknowledged that he will be looking at this issue as his
testing progresses.

Allison Mankin emphasized a need to ensure consistency about metrics.
She suggested we ask people to be consistent and proposed we try to get
people with performance labs or metrics together at the next IETF.  We
could use Bill Manning's room and use the time to compare metrics, show
how their related, and establish appropriate terminology.

Steve agreed, adding that we need a clear statement of what the
measurements are.  Allison suggested the goal of performance measurement
in DNSSEC is to show that it does not have this deep degrading
performance that seems to be the perception.

Steve asked for a run down of the different performance activities we
know about.

* Scott Rose - tools
* Olaf Kolkman - tools and measurement
* Olafur Gudmundsson - metrics and reports


 -- .GOV Update

Scott Rose reported on his efforts to get .GOV signed.  Overall folks in
most US Government agencies have been receptive but there is the usual
government bureaucracy to work through.  There are some concerns about
managing secure entry points and about whether or not DNSSEC is ready.

Next steps include more meetings with policy people and approaching the
Federal CIO Council to get them up-to-speed.

More information about the Dnssec-deployment mailing list