From 635885afe65fc8d4995573297734b53e0d500ad7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Mon, 13 Jun 2022 17:34:37 +0200 Subject: [PATCH] Update Authoritative Server Hardware requirements in DNSSEC Guide Based on measurements done on BIND v9_19_2 using bank. TLD and a synthetitc fullly signed zone, using RSASHA256 and ECDSAP256SHA256 algorithms with NSEC and NSEC3 without opt-out. --- doc/dnssec-guide/getting-started.rst | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/doc/dnssec-guide/getting-started.rst b/doc/dnssec-guide/getting-started.rst index 458a2eb2a6..ff3ae2cc5d 100644 --- a/doc/dnssec-guide/getting-started.rst +++ b/doc/dnssec-guide/getting-started.rst @@ -62,8 +62,8 @@ Authoritative Server Hardware On the authoritative server side, DNSSEC is enabled on a zone-by-zone basis. When a zone is DNSSEC-enabled, it is also known as "signed." -Below are the areas to consider for possible hardware -enhancements for an authoritative server with signed zones: +Below are the expected changes to resource consumption caused by serving +DNSSEC-signed zones: 1. *CPU*: a DNSSEC-signed zone requires periodic re-signing, which is a cryptographic function that is CPU-intensive. If your DNS zone is @@ -72,12 +72,17 @@ enhancements for an authoritative server with signed zones: 2. *System storage*: A signed zone is definitely larger than an unsigned zone. How much larger? See :ref:`your_zone_before_and_after_dnssec` for a comparison - example. Roughly speaking, you should expect your zone file to grow by at - least three times, and frequently more. + example. The final size depends on the structure of the zone, the signing algorithm, + the number of keys, the choice of NSEC or NSEC3, the ratio of signed delegations, the zone file + format, etc. Usually, the size of a signed zone ranges from a negligible + increase to as much as three times the size of the unsigned zone. 3. *System memory*: Larger DNS zone files take up not only more storage space on the file system, but also more space when they are loaded - into system memory. + into system memory. The final memory consumption also depends on all the + variables listed above: in the typical case the increase is around half of + the unsigned zone memory consumption, but it can be as high as three times + for some corner cases. 4. *Network interfaces*: While your authoritative name servers will begin sending back larger responses, it is unlikely that you need to