[Opendnssec-develop] Creating keys

John Dickinson jad at jadickinson.co.uk
Thu Nov 27 15:54:56 UTC 2008

On 27 Nov 2008, at 11:59, Olaf Kolkman wrote:

> On Nov 27, 2008, at 11:25 AM, John Dickinson wrote:
>> Lacking anyone physically present who cares about DNS, DNSSEC or  
>> keys to bounce thoughts off I am going to use this mailing list :)
>> I am working on the key creation logic of the enforcer.
>> A policy is used to specify key and signing parameters for a zone  
>> or set of zones.
>> Lets look at an example, say the policy specifies that the  
>> algorithm to be used for new KSKs is 5 and that the algorithm to be  
>> used for ZSKs is 11. (ignore for now any technicalities of exactly  
>> how you switch to a new algorithm.). Keys for both KSKs and ZSKs  
>> are to be stored in security module 1.
>> The enforcer will start for the FIRST TIME and examine the policy -  
>> it will see that it needs keys of types 5 and 11. It knows (because  
>> we told it) that the capacity of security module 1 is 1000 keys.
>> Key generation is expensive so I was planning to pre-create as many  
>> keys as possible. So first of all I thought the Enforcer could  
>> create 500 keys of each algorithm. Great - that is easy. But  
>> consider the following events in the future...
> The whole argument is build on the presumption that Key generation  
> is so expensive you need to pre-create that many. I do not  
> understand that point. In the context of resigning a zone the key- 
> generation is only a fraction of the expensed isn't it?
> My, maybe naive, thinking is that you only generate keys when you  
> actually are about to use them?

True, these are the figures for RSA keys generation on a SCA6000

key size | time/sec
256      |  0.7
512      |  0.8
1024     |  1.1
2048     |  1.9

Signing speed is 14,000 sig/sec per card (tested at 40,000 sig/sec by  
Roy with 3 SCA cards). So whilst a second or two is not long it is  
very expensive compared with signing.

So I guess if you have a large zone like co.uk then a couple of  
seconds in the 6 odd minutes that it would take to sign from scratch  
is nothing. However, if you have 1000's of small zones or you are  
dynamically updating every minute then it could make a big difference.

Roy - I know you have thought about this - any comments?

More information about the Opendnssec-develop mailing list