[Dnssec-deployment] PayPal says they are now all signed (Akamai)

Jimmy Hess mysidia at gmail.com
Thu Dec 15 14:46:12 EST 2011

On Thu, Dec 15, 2011 at 12:34 PM, Dave Lawrence <tale at dd.org> wrote:
> Complex to say the least.  Current thinking is that it would actually
> be some sort of hybrid approach, with some signatures done based
> on predictive analysis while others would be done ad hoc.  There's a

It seems like this could be tightly integrated with the 'dynamic
signing' functionality of the DNS responder..
via an adaptive response cache   that keeps  the  signature in memory,
  and seeks to minimize the number
of crypto operations  as well at the cost of gigabytes disk space and
RAM,   instead of just attempting
to minimize the amount of disk I/Os like normal authoritative nameserver caches.

A simple message digest could be used to verify that a signature being
pulled from cache still
matches the response records;  there is no reason to limit the cache
lifetime of the signature
to the TTL,  as long as the response does not change, the checksum
does not change,
and as long as the signature is still being used, it should be kept in
the cache.

Then you need a good cache policy, but no complex  precomputation
scheme  that tries to
anticipate all the response combinations;   that is manual
precomputation sounds like a wasted exercise.


More information about the Dnssec-deployment mailing list