How to measure the impact of enabling DNSSEC?
Mark Andrews
marka at isc.org
Tue Jan 22 22:32:39 UTC 2013
In message <CA+fq9b-ym5w+NDXzZNDZWNnqk-V29S19eNB_myJBK-JRGBj9Wg at mail.gmail.com>, Augie Schwer wri
tes:
>
> Would measuring the number of SERVFAIL entries in the "query-errors"
> category be a good indicator of what impact enabling DNSSEC has?
>
> I am replaying some production traffic at a test instance; once with DNSSEC
> enabled and once with it disabled and then counting the number of entries
> logged via the query-errors category to get an indication of what impact
> enabling DNSSEC on my production hosts would be.
>
> Is this a good way to measure? Is there a better way?
Provided you arn't blocking EDNS responses, including fragmented
UDP responses, you shouldn't see extra failures.
DNSSEC is like wearing a seatbelt. 99.99% of the time it has no
impact. And like a seatbelt it can save you (reject spoofed answers)
or hinder you (lookups fail due to the zone not being re-signed)
on rare occasions.
The biggest impact it has is enabling new applications.
> --
> Augie Schwer - Augie at Schwer.us - http://schwer.us
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list