• Getting Started
    • Startup Guide for eCommerce Website Builder
    • Startup Guide for Domain
    • Startup Guide for GO2 Brand

Knowledge Base

What additional resources are required to run a DNSSEC-enabled name server and/or caching resolver?

  • Knowledge Base
  • DNSSEC
DNSSEC RRs are large - significantly larger than the basic DNS RRs (A, PTR, NS, MX and SOA). An A RR is + 14 octets; however a typical DNSKEY or RRSIG RR is larger than the key size, which will likely typically be 1024 octets. Every RR in a DNSSEC-secured zone has a corresponding RRSIG RR, except for RRSIG RRs themselves and 'glue' A RRs. It's possible (but probably not desirable) to have multiple RRSIG RRs for each RR.

Accordingly, a signed zone uses more disk space on name servers, and more memory on both name servers and caching resolvers, than an unsigned one. The increase depends on a number of variables, particularly key size and the types of RRs in the zone. The size of DNSSEC responses is also significantly larger.

Finally, DNSSEC-enabled caching resolvers also have to perform CPU-intensive cryptographic validation operations. They only have to do this for signed zones for which they have a trust anchor, and should begin consume additional CPU only as a function of DNSSEC deployment. Note that someone could deliberately or inadvertently cause a degradation of service by sending large number of queries for uncached RRs, for example, traversing the NSEC RR chain for a large TLD.

Was this article helpful?

Helpful Not Helpful

Related Articles

Popular Articles

  • What type of supporting documents are required to apply for .MY domain name?
  • Startup Guide for GO2 Brand
  • What is a domain name?
  • How to renew my domain?
  • Startup Guide for Email

CONTACT SUPPORT

If you need any further help, our live chat is available to assist you (9 am - 9pm, Malaysian time) or email us at customercare@mynic.my

Copyright ©2025 MYNIC Berhad. All rights reserved. 1