>Since you need two signatures per address (one on AAAA, one on PTR),
>figure on being able to re-sign 1500 addresses per minute per GHz of
>cpu. Renumbering a million-address network would take a bit over 11
>GHz-hours of cpu time just for the dnssec signatures alone.
the signing cost consideration really depends on two parameters:
- how often do we want to renumber
- how large is the network to get renumbered
both must carefully be considered to diagnose if A6 gives you more
benefits or more costs.
because of other constraints like below, i don't think i (of any admin)
ever want try to renumber a site with million nodes. renumber is
a major task which needs a lot of planning.
- if you have hardcoded address in any of your router/host configs,
you will be in trouble (example: IBGP peer settings, /etc/named.conf
for zone transfer, packet filtering, anything that is written by
numeric IPv6 address).
- to avoid canopener-in-can situation for records pointed to by NS
records, nameservers basically has to have "A6 0" records.
so for these records we don't have benefit from fragmented A6 records.
itojun
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------