* Jim Reid wrote:
It would be good to get some real numbers here.
Yep.
Dropping the NXDOMAINs by 70% seems very strange. If the same number of queries are being made as before, what answers are they getting back instead of NXDOMAIN?
*g* The good answers are usually cached on customer side. Only the bad queries are resend after a short negative caching period. The validating resolver does not itself requery those questions but respond (from a cached and valid NSEC) NXDOMAIN.
Crypto is cheap compared to networking.
Please explain how you arrive at this conclusion.
RRSIG validation does occur on every freshly received record. Then the result of the validation is cached. OTOH resolving a query recursively requires at least one packet exchange with a remote system. This takes time. I compare timing and conclude that time_validating = time_queryDNSSEC + time_validation + n*time_lookup and time_recursing = n*time_query must not be in a strict order for every n. Speaking for the locally hosted signed zones (~500) I observe a big win. The win will be much better if the root where signed (because the resolver knows which TLD does not exists from cache), so that stetting up a signed root for outself is a probable project in the near future.