> | Can we qualify them with a "frequency indicator," e.g. once
> | in a life-time, once a year, once a month, once a day?
>
> Given that #5 needs to be N times a day (twice as stated), if we can
> handle that one, then we should be able to handle all the others up to
> at least once a day frequency, even if they're not likely to occur
> nearly that often.
One additional concern I've heard raised is the interaction between
renumbering, AAAA, and dnssec -- specifically, the cost of re-signing
a zone with new addresses. The careful sysadmin would do this after
the new prefix was known, but before the new prefix started to be
used.
How much compute power does this take? A fair amount, for large
zones.
As an unscientific test, during the dnsext meeting in minneapolis I
took the mit.edu zone (with about 82000 hosts), synthesized AAAA
records for all hosts, and signed it using the tools included with a
recent bind 9 release.
The effort required to re-sign scales linearly with the number of RR's
changed. Fortunately, this task is paralleizeable; however, the
processors doing the work must be trusted with the zone's private key.
Folks with appropriate levels of paranoia likely won't want to do much
else with this hardware besides maintain the zone(s).
In the absence of DNAME, a roughly similar re-signing effort is
required for PTR zones.
My recollection was that signing the synthesized zone took roughly 90
minutes on my laptop -- a 333mhz celeron. so, for a rough
order-of-magnitude guesstimate, 1000 signatures per minute on this
system.
Since you need two signatures per address (one on AAAA, one on PTR),
figure on being able to re-sign 1500 addresses per minute per GHz of
cpu. Renumbering a million-address network would take a bit over 11
GHz-hours of cpu time just for the dnssec signatures alone.
Note that resigning needs to be complete before the RR's can be
replaced -- i.e., the time for renumbering to be complete is the
resigning time plus the TTL...
- Bill
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
