GNSO Email Archives: [ga]

ICANN/GNSO GNSO Email List Archives

[ga]

<<< Chronological Index >>> <<< Thread Index >>>

Re: [ga] PIR implementing DNSSEC

To: Danny Younger <dannyyounger@xxxxxxxxx>
Subject: Re: [ga] PIR implementing DNSSEC
From: Karl Auerbach <karl@xxxxxxxxxxxx>
Date: Fri, 18 Aug 2006 11:36:23 -0700
Cc: ga@xxxxxxxxxxxxxx
In-reply-to: <20060818115334.88192.qmail@web53303.mail.yahoo.com>
References: <20060818115334.88192.qmail@web53303.mail.yahoo.com>
Sender: owner-ga@xxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.5 (X11/20060808)

Danny Younger wrote:

Posted yesterday (but dated 2 August 2006):

"This letter is written to advise that PIR intends to
implement DNSSEC in accordance with the IETF
standards.

There is a concern that I have about DNSSEC - and it's due to lack of knowledge.

The concern is this: If a server goes down, and servers *do* go down, then how long will it take to reload a large DNSSEC protected zone?

Although it is very unlikely that all of PIR's servers would go down at the same time from attacks or power outages or things like that. But administrative errors, or something due to common operating systems, etc, may cause an outage across several or all servers. I have concern for the length of the time-to-recover.

I have heard, but do not know the details, that it can take a long time for a large DNSSEC zone to load due to the computational load of signature checks. (Why that can't be done in advance, I don't know.)

My lack of experience with DNSSEC is showing.

		--karl--

References:
- [ga] PIR implementing DNSSEC
  - From: Danny Younger

<<< Chronological Index >>> <<< Thread Index >>>