How to measure the impact of enabling DNSSEC?

Mark Andrews marka at
Tue Jan 22 22:32:39 UTC 2013

In message <CA+fq9b-ym5w+NDXzZNDZWNnqk-V29S19eNB_myJBK-JRGBj9Wg at>, Augie Schwer wri
> Would measuring the number of SERVFAIL entries in the "query-errors"
> category be a good indicator of what impact enabling DNSSEC has?
> I am replaying some production traffic at a test instance; once with DNSSEC
> enabled and once with it disabled and then counting the number of entries
> logged via the query-errors category to get an indication of what impact
> enabling DNSSEC on my production hosts would be.
> Is this a good way to measure? Is there a better way?

Provided you arn't blocking EDNS responses, including fragmented
UDP responses, you shouldn't see extra failures.

DNSSEC is like wearing a seatbelt.  99.99% of the time it has no
impact.  And like a seatbelt it can save you (reject spoofed answers)
or hinder you (lookups fail due to the zone not being re-signed)
on rare occasions.

The biggest impact it has is enabling new applications.

> -- 
> Augie Schwer    -    Augie at    -
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list