Today the RIPE DNS for LIRs Training Course did take place. (some not up to date course material can be found here)
Managing some thousands of zones inclusive nameserver infrastructure behind since several years, I thought it would be neat to provide a secure dns chain to our costumers.
After going deeper into the material within the course, I recognized the following impacts:
- only bind9 (>= 9.3) and NSD privides support (yet)
- bandwidth will be increased 2-3 times with max. key size
- increased memory usage depending on your server software
- operational costs will increasing dramatically due significant higher amount of regular work
- more computing power (hardware) needed to generate dnssec ready zones and signing
- unknown influence on resolving nameservers (load/memory/bandwidth)
- chain of trust ends at resolving nameserver and is not provided to enduser
Since the last issue isn't solved (yet), it doesn't make any sense for me to invest resources into setting up DNSSec infrastructure, cause the end user would not recognize if the communication with the resolving nameserver or the resolving nameserver itself is taken over.
Any complaints and/or hint? Did I missed something?