hardware crypto support for dnssec validation?

Francis Dupont Francis.Dupont at fdupont.fr
Sat Jul 12 20:27:35 UTC 2008


 In your previous mail you wrote:

   i was under the impression that this wasn't necessary since verification
   was so much faster than generation in the signature alg's used in dnssec.
   
=> it depends on the exact algorithm used, and for RSA on implementation
details (use of CRT, Chineese Remainder Theorem).
"openssl speed" should help, on my macbook:
openssl speed rsa1024 -> 147 sign/s 3450 verify/s ratio 23
openssl speed dsa1024 -> 357 sign/s 302 verify/s ratio .84
(so now you know why everybody wanted RSA :-)!

But don't believe a HSM (crypto hardware) will really improve DNSSEC
performances with common settings. The interest of a HSM is its key
store and obviously this is only for the signing side.

   Since you mentioned hardware crypto, one thing on my wishlist:
   BIND 9 support for using hardware crypto for both zone signing
   and signature verifications. 
   
=> you should get benefits from the crypto hardware for all usual
crypto operations, including random generation.

   I think I recall someone (Nominet?) recently doing some work on a 
   version of dnssec-signzone that uses a HSM.

=> there is some HSM support in the (forthcoming) version 9.6

   But I've not yet
   heard anyone talking about modifying named to use hardware crypto
   to verify DNSSEC signatures -- for use as a high performance validating 
   resolver. Granted the need for a really high performance validator
   is not a pressing concern until there is much more widespread 
   deployment of signed zones. But sooner or later it will be ..

=> to avoid disappointments, have you profiled such a validating resolver?
   
   Our current DNS hardware consists of a number of Sun UltraSPARC-T1
   based systems -- which have multiple on-chip crypto hardware
   modules (modular arithmetic units).

=> I know it only from Sun announces...

   All we need is version of BIND that can use the openssl-engine pkcs11 
   interfaces to access them!
   
=> if you are an ISC supported customer you know the next step...

Regards

Francis.Dupont at fdupont.fr


More information about the bind-workers mailing list