In message <ca+fq9b-ym5w+ndxzzndzwnnqk-v29s19enb_myjbk-jrgbj...@mail.gmail.com>, Augie Schwer wri tes: > > Would measuring the number of SERVFAIL entries in the "query-errors" > category be a good indicator of what impact enabling DNSSEC has? > > I am replaying some production traffic at a test instance; once with DNSSEC > enabled and once with it disabled and then counting the number of entries > logged via the query-errors category to get an indication of what impact > enabling DNSSEC on my production hosts would be. > > Is this a good way to measure? Is there a better way?
Provided you arn't blocking EDNS responses, including fragmented UDP responses, you shouldn't see extra failures. DNSSEC is like wearing a seatbelt. 99.99% of the time it has no impact. And like a seatbelt it can save you (reject spoofed answers) or hinder you (lookups fail due to the zone not being re-signed) on rare occasions. The biggest impact it has is enabling new applications. > -- > Augie Schwer - au...@schwer.us - http://schwer.us > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
