From: George Michaelson <g...@algebras.org<mailto:g...@algebras.org>> Date: Tuesday, December 22, 2015 at 5:39 PM To: dnsop WG <dnsop@ietf.org<mailto:dnsop@ietf.org>>, Lee Howard <lee.how...@twcable.com<mailto:lee.how...@twcable.com>> Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-isp-ip6rdns-01.txt
I want to dispute one part of this: the "DNSSEC may not scale well" part. With thanks to Ray Bellis, APNIC has been running an evldns webserver which signs on the fly, and we have achieved north of 3000 signs/second from this code on a smallish cloud node signing on demand. Can you quantify "smallish"? Unfortunately, the folks I know who can tell me our PTR query rate are out for a couple of weeks, but it would stand to reason that the RIRs would get a lot of qps. Our model was unique domains (the 1x1 ad system) but Ray coded a simple ring buffer and for the repeat queries, there was a demonstrable cache benefit to keeping some amount of signed state live without having to re-sign. Makes sense. When this part of the text was first written, 5-6 years ago, the statement was truer than it is now. I could rewrite to say, "Signing PTR records on the fly may be scalable, especially if records thus signed are cached, but large-scale experience is currently limited." Ralf's additional note about DDoS scenarios is well taken, but I have a feeling APNIC is under constant attack. In other words: more input needed. Lee I think that on-the-fly DNSSEC for IPv6 is tractable. -George On Wed, Dec 23, 2015 at 5:48 AM, <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations Working Group of the IETF. Title : Reverse DNS in IPv6 for Internet Service Providers Author : Lee Howard Filename : draft-ietf-dnsop-isp-ip6rdns-01.txt Pages : 13 Date : 2015-12-22 Abstract: In IPv4, Internet Service Providers (ISPs) commonly provide IN- ADDR.ARPA information for their customers by prepopulating the zone with one PTR record for every available address. This practice does not scale in IPv6. This document analyzes different approaches and considerations for ISPs in managing the ip6.arpa zone for IPv6 address space assigned to many customers. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-isp-ip6rdns/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-dnsop-isp-ip6rdns-01 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-isp-ip6rdns-01 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org<mailto:DNSOP@ietf.org> https://www.ietf.org/mailman/listinfo/dnsop ________________________________ This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
