Worst case should be double the queries which happens when there isn’t a cached DNSKEY RRset to validate the response. If there are multiple queries clustered together the overhead is reduced.
-- Mark Andrews > On 14 Apr 2022, at 22:23, Andrew P. <andrew...@hotmail.com> wrote: > > Greetings, all. > > I had a surprise on the bill from my secondary DNS provider after I turned on > DNSSEC. The number of record queries on my domains increased by a factor of > about 5, compared to the number of record queries when I didn't have DNSSEC. > Is this normal for DNSSEC? It's been a consistent significantly higher query > level since deploying DNSSEC 3 months ago on 2 small domains (total of 120 > records across the two domains), and it was 57 new RRSIG, DNSKEY, and > NSEC3PARAM records added the domains for the DNSSEC. > > The average number of attacks per day on my webserver (according to the > server logs) does not appear to have increased since the DNSSEC deployment. > > This is for the ka2ddo.org and ka2ddo.radio domains. > > So, is DNSSEC really that much more costly in terms of queries? > > Andrew Pavlin > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
