Knowledge Base

What additional resources are required to run a DNSSEC-enabled name server and/or caching resolver?

DNSSEC RRs are large – significantly larger than the basic DNS RRs (A, PTR, NS, MX and SOA). An A RR is + 14 octets; however a typical DNSKEY or RRSIG RR is larger than the key size, which will likely typically be 1024 octets. Every RR in a DNSSEC-secured zone has a corresponding RRSIG RR, except for RRSIG RRs themselves and ‘glue’ A RRs. It’s possible (but probably not desirable) to have multiple RRSIG RRs for each RR.

Accordingly, a signed zone uses more disk space on name servers, and more memory on both name servers and caching resolvers, than an unsigned one. The increase depends on a number of variables, particularly key size and the types of RRs in the zone. The size of DNSSEC responses is also significantly larger.

Finally, DNSSEC-enabled caching resolvers also have to perform CPU-intensive cryptographic validation operations. They only have to do this for signed zones for which they have a trust anchor, and should begin consume additional CPU only as a function of DNSSEC deployment. Note that someone could deliberately or inadvertently cause a degradation of service by sending large number of queries for uncached RRs, for example, traversing the NSEC RR chain for a large TLD.

Was this article helpful?