Re: [ga] PIR implementing DNSSEC
Danny Younger wrote: Posted yesterday (but dated 2 August 2006): There is a concern that I have about DNSSEC - and it's due to lack of knowledge. The concern is this: If a server goes down, and servers *do* go down, then how long will it take to reload a large DNSSEC protected zone? Although it is very unlikely that all of PIR's servers would go down at the same time from attacks or power outages or things like that. But administrative errors, or something due to common operating systems, etc, may cause an outage across several or all servers. I have concern for the length of the time-to-recover. I have heard, but do not know the details, that it can take a long time for a large DNSSEC zone to load due to the computational load of signature checks. (Why that can't be done in advance, I don't know.) My lack of experience with DNSSEC is showing. --karl--
|