-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
We did some research on the performance impact of the number of hash iterations for NSEC3. For convenience the abstract and conclusion are included below. The full paper can be found at: http://www.nlnetlabs.nl/downloads/publications/nsec3_hash_performance.pdf Abstract When signing a zone with DNSSEC and NSEC3, a choice has to be made for the key size and the number of hash iterations. We have measured the effect of the number of hash iterations in NSEC3 in terms of maximum query load using NSD and Unbound. This document presents the results of these measurements and compares the cost for validating and authoritative name servers and allows for an educated choice for these parameters. Conclusion We have two observations: 1. Even for short keys the number of iterations for NSEC3 has more impact on NSD’s performance than on the performance of Unbound. 2. The half performance count is constant for NSD and will grow with the key size for Unbound. There seems to be an appropriate alignment between incurred and imposed costs: the authoritative servers dictate these parameters but are affected the most themselves. This means that in order to find a satisfying amount of iterations it is sufficient to look at the performance impact of the authoritative name server. Regards, Yuri Schaeffer - -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuiVscACgkQI3PTR4mhavhYMgCfW7mTcdGJYoQhmIVwESFEhosj jWoAnRMHpolh5uIgrpBqP6kPEGJqrKOP =Z5XT -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
