[governance] DNSsec and allternative DNS system

Thomas Narten narten at us.ibm.com
Fri Nov 16 09:32:59 EST 2007 

Karl Auerbach <karl at cavebear.com> writes:

> Since you mentioned DNSSEC:  I have a question that has not been clearly 
> answered.

> Suppose we have an internet with some very large DNSSEC signed zone 
> files - let's use .com as a hypothetical model with roughly 70,000,000 
> items today.

> Suppose that due to some systemic failure - for instance a software 
> upgrade gone bad - that all or most of the servers for that zone go down 
>   (or worse, crash).

Note: DNSSEC is irrelevant to this question. The above is a potential
problem for any large zone. That said, the operators of large zones of
course know about this and go to great lengths to ensure it doesn't
happen. This is no different than any significant service that has to
run 7x24 with NO downtime allowed, for any reason.

That .com hasn't had such an outage is no accident, I would bet.

> How long will it take for those servers to come up again and provide 
> name resolution services?  In other words how long for the systems to do 
> the necessary file system checks (fsck) and checking of the zone file 
> signatures?

Again, in the context of DNSSEC, the answer is still  mostly the same.

First, it should be pointed out that restarting a zone after a failure
does NOT require the checking (or rechecking) of ANY of the zone
signatures. The DNSSEC design is such that the signing of the data can
be done offline on another machine, with the zone data itself
(including all DNSSEC signatures) being treated as just normal data
when a nameserver restarts. (If the server did the signing itself, the
keys would need to be available to the server, which means the keys
themselves would be open to compromise should the nameserver become
compromised.)

My understanding is that the additional data that goes with a signed
zone typically increases the overall size of the zone by only a factor
of 2-4, though YMMV. Even an order of magnitude increase in the size
of the zone file would not add that much.

And, w.r.t. your point about needing to run "fsck" on the disc data,
you are making the assumption that the zone file is stored in a
typical Unix file system, an assumption that is probably false. In
this day and age (and for the requirements) it may well be that the
zone data is stored in other ways, precisely so that reloading can be
faster. But now you are asking about details that I do not have direct
knowledge of. You need to ask an operator of a large zone. But a final
point that should be made is that running fsck (if it is needed) is
only a small part of restarting a zone after catastrophic failure. So
I doubt DNSSEC changes the overall picture very much.

Thomas
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance

More information about the Governance mailing list