[Cryptech Tech] Draft Requirements

Warren Kumari warren at kumari.net
Mon Feb 16 02:45:28 UTC 2015

Previous message: [Cryptech Tech] Draft Requirements
Next message: [Cryptech Tech] Draft Requirements
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Some nits:

DNSSEC Use Case:
"Each update to the requires 3-4 signatures (per algorithm)" -- a word
is missing, I'm assuming "zone"?

"Resign SOA (signed by KSK)"
The SOA (like most other records) is signed with the ZSK. The KSK signs the ZSK.
and:
"Resign NSEC/NSEC"  - I think you wanted NSEC/NSEC3

Also, a large number of zones get signed in full, not on the fly. For
performance (and various other reasons) it is fairly common to store
the KSK in an offline HSM, put the ZSK on general purpose machines and
use the CPU to sign.
This makes the signing performance of the HSM not very important at all.

There are some who sign on hardware, but it's tricky to get actual
performance numbers from folk - however, here is some commercial HSM
performance numbers from testing by the opendnssec folk:
http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf

For one bit of hardware this got ~1000 sig/sec for RSA1024 and ~23
sig / sec for RSA4096.
These performance numbers are only important if a: you sign with the
HSM and b: you need to resign the entire zone.
Even if you normally sign each record, you still need to be able to
resign the entire zone under some conditions (including keyroll)

Just for more scaling info, as of Jan 2014 .uk (a very large cc) had
10.5M domains. At 1000sig/sec that's around 2h55min to resign with
RSA1024 and that bit of kit.

W

On Wed, Feb 11, 2015 at 10:33 PM, Jakob Schlyter <jakob at kirei.se> wrote:
> Joachim and I have collected an initial set of requirements at https://trac.cryptech.is/wiki/Requirements, please give us feedback.
>
>         jakob
>
> _______________________________________________
> Tech mailing list
> Tech at cryptech.is
> https://lists.cryptech.is/listinfo/tech

-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

Previous message: [Cryptech Tech] Draft Requirements
Next message: [Cryptech Tech] Draft Requirements
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list