Ombudslistan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: dnsop@cafax.se, namedroppers@ops.ietf.org
From: Roy Arends <roy@nlnetlabs.nl>
Date: Tue, 18 Apr 2000 17:40:47 +0200 (CEST)
Sender: owner-dnsop@cafax.se
Subject: DNSSEC: Signing the German TLD zone.

This report was just sent to the DNSSEC-WG at CENTR.
---------- Forwarded message ----------
Date: Tue, 18 Apr 2000 17:05:44 +0200 (CEST)
From: Roy Arends <roy@nlnetlabs.nl>
To: dnssec-wg@lists.centr.org
Subject: Signing the German TLD zone. (fwd)

Signing the German TLD zone.

1. The original .de zone                         

   Structure.

   German domain holders can either have their zone delegated (with a
   maximum of 5 NS records) or have 5 (A/MX) RR records in de .de zone
   itself. MX RR labels may have wildcards. CNAME RR's are not allowed.

1.2 Statistics.
   SOA RR : 1
   NS  RR : 2685819
   MX  RR : 1403093 (682539 are wildcards)   
   A   RR : 1365582

   Domains: 1976902      
   Size   : 232 MByte    

1.3 Preparing for the signing session.
   Due to the size and the expected growth of the zone during the signing
   session, the test-machine had to be reconfigured. The limit of datasize
   segments was set to 2G and swap space was increased to 4G.

1.4 Signing the zone.
   To sign the zone, we used the signer that came with the distribution
   of BIND V9.0.0-b2. We changed to the source-code to get time-stamps 
   after N signatures. We used a 512 bit DSA key, generated with the
   keygen tool, also from the distribution of BIND V9.0.0-b2. 
   The test-machine is an average off-the shelf pc with an athlon 500 MHz
   processor running FreeBSD 3.4 .

1.5 Results
   We measured the usage of the signing process on the processor plus the
   system time. The time used was 47601 sec (13h13m21s).
   The following was done:

         1 SOA RRset  was  signed
	 1 NS  RRset  was  signed
   1336944 MX  RRsets were signed
   1348946 A   RRsets were signed
   3333218 NXT RR's   were created
   3323726 NXT RR's   were signed
   6009618 SIG RR's   were created

   The size of the zone file increased about a factor of 4.4, from 232
   MByte to 1 GByte.

2. Converting the .de zone to a delegation-only zone.

2.1 We removed all the non-NS records from subzones, and inserted
   delegations (2 NS records) instead. The total number of domains stayed
   the same.

2.2 Statistics.

   SOA RR :       1
   NS  RR : 4060729
   A   RR :   10301

   Domains: 1976902
   Size   : 117 MByte

2.3 Signing the converted zone.
   (See part 1.4)

2.4 Results
   The time the signer needed was 16493 sec (4h18m13s). 
   The following was done:

         1 SOA RRsets was  signed 
         1 NS  RRsets was  signed
         9 A   RRsets were signed
   1966642 NXT RR's   were created
   1950988 NXT RR's   were signed
   1950999 SIG RR's   were created

   The size of the zone file increased with about a factor of 3.2, from
   117 MByte to 380 MByte.

Regards,

Roy Arends.
--
roy@nlnetlabs.nl                NLnetLabs
tel +31208884551                Kruislaan 419
|\ ||   _  _|_  |   _ |_  _     1098 VA  Amsterdam
| \||__| )(-|_  |__(_||_)_)     The Netherlands

Prev by Date: I-D ACTION:draft-ietf-dnsop-keyhand-02.txt
Next by Date: Re: Signing the German TLD zone. (fwd)
Prev by thread: I-D ACTION:draft-ietf-dnsop-keyhand-02.txt
Next by thread: Re: Signing the German TLD zone. (fwd)
Index(es):
- Date
- Thread

Home | Date list | Subject list