[Opendnssec-develop] Minutes of San Francisco meeting, 25 March 2009

Matthijs Mekking matthijs at NLnetLabs.nl
Tue Mar 31 18:08:23 UTC 2009

Hash: SHA1

Action: Matthijs - speak to Jaap Akkerhuis to tell him that we may want
a presentation slot at the RIPE DNS WG meeting.

- --------------------------------------------------------------------------
We can always get a 15min slot to present our stuff. If we want a longer
slot, we have to submit in advance. Currently, no submissions are made
yet. Jaap will warn me if it gets crowded.
- --------------------------------------------------------------------------

Action: Matthijs - forward signing requirements from .org to the list.

- --------------------------------------------------------------------------
Interesting tidbits:
* ORG has almost 8 million delegations with about 17.5 million RR.
  It takes about 2 gibibyte of RAM to run unsigned.
* INFO has over 5 million delegations and about 11.5 million RR.
  It takes about 1.5 gibibyte of RAM to run unsigned.
* Updates occur every minute (the might happen faster in the future, if
  we can get our SQL database to keep up with the queries), and are
  transmitted via NOTIFY/XFR.
* The infrastructure includes hidden distribution masters as well as
  user-facing DNS servers. BIND does all distribution (we don't care
  about diversity on our internal infrastructure so much).
* The average serial increase seems to have about 100
* Signing occurs when a new serial arrives.

Here are our minimal needs:
* NSEC3 support
* IXFR support
* TSIG support
* Time for incremental signing < 1 minute

Our plans now include a 2048-bit KSK that we do not roll, a 1024-bit ZSK
that we roll monthly, and a 7-day signature lifetime.

In theory this list should be quite straightforward for a signer. If we
assume each deletion or addition will result in 3 new records to be
signed then that is only 300 signatures per minute from changes to the

If we assume a 1-week signature lifetime, then we will also have
something like:
* 8 million signatures in zone from RRSET
* 8 million RR in zone from NSEC3 (worst case)
* 16 million RR / (7 days * 24 hours * 60 minutes) = 1600 sign/minute

So we need something that can sign or re-sign about 1900 times a minute,
or say 35 times a second - something that should be possible without too
much work if it is done with a proper design.
- --------------------------------------------------------------------------

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-develop mailing list