[dnssec-deployment] Mal ein paar DNSSEC Statistiken / Some DNSSEC statistics
jeroen at unfix.org
Wed Jan 2 10:33:25 EST 2008
Mark Andrews wrote:
>> Note that I mention subnets, as signing the tunnel spaces is, due to the
>> amount of space, nearly impossible. The above would at least a DLV to be
>> inserted for a few zones and allow a lot of folks to have dnssec enabled
> Or just be slightly more imaginative with how you organise
> the zones. Assuming a /32, create zones for each of the
> /36's and only sign those that have signed childen. Similarly
> for the /40's and /44's in turn.
Well, in the case of the tunnel space everything contains data and thus
can be signed as it is in our control fully. The issue with the tunnel
spaces though is that those are /48's containing /64's, with every /64
::1 + ::2 being the local and remote endpoint. That is a 65k * 2 = 128k
record zone with fairly long record names, eg cl-42.dub-01.ie.sixxs.net.
I've did a test sign for one such zone and found out that it would need
quite a bit of extra memory to load the signed zone, an amount which
would be a bit too high for our setup. Note that we have 25 of such
zones and I recall the amount of mem to be used per zone was something
like 100mb extra, thus 2.5Gb extra, which really is way too much for our
setup. Thus, only signing the subnets which get delegated to users is a
good start and allows them to start playing with it.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20080102/28a6efeb/attachment.bin
More information about the Dnssec-deployment