Re: Why did my DNS bill go up?
Worst case should be double the queries which happens when there isn’t a cached DNSKEY RRset to validate the response. If there are multiple queries clustered together the overhead is reduced. -- Mark Andrews > On 14 Apr 2022, at 22:23, Andrew P. wrote: > > Greetings, all. > > I had a surprise on the bill from my secondary DNS provider after I turned on > DNSSEC. The number of record queries on my domains increased by a factor of > about 5, compared to the number of record queries when I didn't have DNSSEC. > Is this normal for DNSSEC? It's been a consistent significantly higher query > level since deploying DNSSEC 3 months ago on 2 small domains (total of 120 > records across the two domains), and it was 57 new RRSIG, DNSKEY, and > NSEC3PARAM records added the domains for the DNSSEC. > > The average number of attacks per day on my webserver (according to the > server logs) does not appear to have increased since the DNSSEC deployment. > > This is for the ka2ddo.org and ka2ddo.radio domains. > > So, is DNSSEC really that much more costly in terms of queries? > > Andrew Pavlin > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: Why did my DNS bill go up?
Hi Andrew! DNSSEC is more costly: more Ressource Records to hold on disk, to hold in memory and more queries and more IP traffic. If the DNSSEC signing is also done by the DNS provider there would be additional ressources for the signing service and risks when doing something wrong. For a single domain, these additional ressources for DNSSEC would be neglectable, if you have 1 mio Zones signed or unsigned it makes a hughe difference to the DNS provider. So, yes, DNSSEC costs additional ressources, and depending on the business model of the DNS provider he will charge you for that (although everybody expects security to be for free) regards Klaus > -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Andrew > P. > Gesendet: Donnerstag, 14. April 2022 14:23 > An: bind-users@lists.isc.org > Betreff: Why did my DNS bill go up? > > Greetings, all. > > I had a surprise on the bill from my secondary DNS provider after I turned on > DNSSEC. The number of record queries on my domains increased by a factor > of about 5, compared to the number of record queries when I didn't have > DNSSEC. Is this normal for DNSSEC? It's been a consistent significantly higher > query level since deploying DNSSEC 3 months ago on 2 small domains (total > of 120 records across the two domains), and it was 57 new RRSIG, DNSKEY, > and NSEC3PARAM records added the domains for the DNSSEC. > > The average number of attacks per day on my webserver (according to the > server logs) does not appear to have increased since the DNSSEC > deployment. > > This is for the ka2ddo.org and ka2ddo.radio domains. > > So, is DNSSEC really that much more costly in terms of queries? > > Andrew Pavlin > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this > list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Why did my DNS bill go up?
Greetings, all. I had a surprise on the bill from my secondary DNS provider after I turned on DNSSEC. The number of record queries on my domains increased by a factor of about 5, compared to the number of record queries when I didn't have DNSSEC. Is this normal for DNSSEC? It's been a consistent significantly higher query level since deploying DNSSEC 3 months ago on 2 small domains (total of 120 records across the two domains), and it was 57 new RRSIG, DNSKEY, and NSEC3PARAM records added the domains for the DNSSEC. The average number of attacks per day on my webserver (according to the server logs) does not appear to have increased since the DNSSEC deployment. This is for the ka2ddo.org and ka2ddo.radio domains. So, is DNSSEC really that much more costly in terms of queries? Andrew Pavlin -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
