Trying to understand DNSSEC and BIND versions better

Chris Adams cmadams at
Fri Jun 5 02:49:21 UTC 2009

Since I read that the root is supposed to be signed by the end of the
year, I am just trying to understand DNSSEC support and the various
versions of BIND a little better here, so please don't throw too many
rocks if I ask something stupid...

I run the nameservers for an ISP.  For the recursive servers, what are
the hazzards in enabling DNSSEC (once the root is signed, so no DLV
necessary I guess)?  I know the things that generally break with
"regular" DNS, but I don't know that with DNSSEC (I know there have been
DLV troubles but that's it).

Currently, my servers run BIND 9.3.4-10.P1 (as patched by Red Hat in
RHEL; we typically stick with their security patched version, since
that's what we pay them for).  What does that mean with .ORG for
example, where NSEC3 is used?  Would we just not see NXDOMAIN responses
as validated (and what happens to unvalidated responses)?  I've put in a
request to Red Hat to update to a version that supports NSEC3 but I
don't know what their response will be yet.

For our authoritative servers, we'll need to set up a system to sign the
zones.  Is it expected that ISPs will sign every zone they serve, or
just the domains we consider "important"?  What kind of problems might
be expected here?

In both cases, what kind of CPU and/or RAM overhead will large-scale use
of DNSSEC add?
Chris Adams <cmadams at>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

More information about the bind-users mailing list