>From: "Jeremy C. Reed" <r...@reedmedia.net> >> Now, I'm testing "On the Fly" generation of PTR and AAAA RRs and "On >> the Fly" signing using perl + Net::DNS::SEC. > > I notice it creates a new signature for same look up everytime. So the > inception and expiration is increased immediately.
It creates a new signature for every query. > Would it make sense to > possibly attempt to cache these generated signatures for the most > frequent requests? Many resolvers don't send the same query while the RRSet is in their cache. The RRSet can be validated in each server. Each resolver may have same PTR and different signature. What problem exist? > Or is it better to just have a caching server in front of the "On > the Fly" DNS server? This approach is one solution of performance problem. > Or just rely on others to cache (since we > assume that won't hit the authoritative again for same query). > > Also any benchmarks on how fast it can sign on the fly? I tested using queryperf with existing name and type, using 1024bit RSASHA1 ZSK (which is generated by dnssec-keygen), When DO=0, about 541 queries/sec When DO=1, about 193 queries/sec I run it on Xeon 2.8GHz, FreeBSD 7.2 box. > It would be great if you can make the newer script available too (the one > using Net::DNS::SEC). I put the script on my page as is. http://member.wide.ad.jp/~fujiwara/v6rsec-dnslab.pl I run it as 2001:200:132:6::/64 reverse mapping DNS server. It is very limited prototype. It does not have many necessary functions. It does not have non-existing case (generating NSEC). It copies OPT RR (doesn't check EDNS0 buffer length, I think). # NSEC may be generated because next owner name is next IPv6 address # and type bitmap have PTR only. Regards, -- Kazunori Fujiwara, JPRS <fujiw...@jprs.co.jp> _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
