On Feb 16, 2007, at 09:20, Lutz Donnerhacke wrote:
DNSSEC validating on a larger resolver does scale well, because - that's the important observation I made - a lot of queries can be answered from cached NSEC records without querying further. The whole bunch of NXDOMAIN dropped by about 70% here.
It would be good to get some real numbers here. And to find out what happens to the already-crypto-validated-and-cached RRSIGs when their TTLs and "best before" dates change. Dropping the NXDOMAINs by 70% seems very strange. If the same number of queries are being made as before, what answers are they getting back instead of NXDOMAIN? Aha! It must be SERVFAIL because DNSSEC validation failed. :-)
Crypto is cheap compared to networking.
Please explain how you arrive at this conclusion. Crypto is never cheap, especially the cost of the human factors in things like key management. Example: adding a host to some network is much less work than configuring SSH on that host and distributing its host key(s). I would like to know how running a cryptosystem is cheaper than moving bits around, all other things being equal.