How to measure the impact of enabling DNSSEC?
Augie Schwer
augie.schwer at gmail.com
Wed Jan 23 19:38:58 UTC 2013
On Tue, Jan 22, 2013 at 2:32 PM, Mark Andrews <marka at isc.org> wrote:
>
> In message <
> CA+fq9b-ym5w+NDXzZNDZWNnqk-V29S19eNB_myJBK-JRGBj9Wg at mail.gmail.com>,
> Augie Schwer wri
> tes:
> >
> > Would measuring the number of SERVFAIL entries in the "query-errors"
> > category be a good indicator of what impact enabling DNSSEC has?
>
> DNSSEC is like wearing a seatbelt. 99.99% of the time it has no
> impact. And like a seatbelt it can save you (reject spoofed answers)
> or hinder you (lookups fail due to the zone not being re-signed)
> on rare occasions.
>
That makes sense to me; I was looking for a way to quantify the affect
enabling DNSSEC validation in a Bind server.
Measuring SERVFAILs seems to be a good proxy to measure DNSSEC's impact.
Thanks for the reply.
--
Augie Schwer - Augie at Schwer.us - http://schwer.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130123/4dd3876d/attachment.html>
More information about the bind-users
mailing list