On Wed, Jan 23, 2013 at 11:38 AM, Augie Schwer <augie.sch...@gmail.com> wrote: > > On Tue, Jan 22, 2013 at 2:32 PM, Mark Andrews <ma...@isc.org> wrote: >> >> >> In message >> <ca+fq9b-ym5w+ndxzzndzwnnqk-v29s19enb_myjbk-jrgbj...@mail.gmail.com>, Augie >> Schwer wri >> tes: >> > >> > Would measuring the number of SERVFAIL entries in the "query-errors" >> > category be a good indicator of what impact enabling DNSSEC has? > > >> >> DNSSEC is like wearing a seatbelt. 99.99% of the time it has no >> impact. And like a seatbelt it can save you (reject spoofed answers) >> or hinder you (lookups fail due to the zone not being re-signed) >> on rare occasions. > > > That makes sense to me; I was looking for a way to quantify the affect > enabling DNSSEC validation in a Bind server. > > Measuring SERVFAILs seems to be a good proxy to measure DNSSEC's impact. > > Thanks for the reply.
SERVFAILS are not rare and come from many things. Looking at the delta after enabling validation might be interesting, but in my experience you are unlikely to see any difference beyond the jitter that will always be there. Except for a couple of major goofs early on by a few large orgs (e.g. NASA), the impact of validation is about zip. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
