hardware crypto support for dnssec validation?
Francis Dupont
Francis.Dupont at fdupont.fr
Sat Jul 12 20:27:35 UTC 2008
In your previous mail you wrote:
i was under the impression that this wasn't necessary since verification
was so much faster than generation in the signature alg's used in dnssec.
=> it depends on the exact algorithm used, and for RSA on implementation
details (use of CRT, Chineese Remainder Theorem).
"openssl speed" should help, on my macbook:
openssl speed rsa1024 -> 147 sign/s 3450 verify/s ratio 23
openssl speed dsa1024 -> 357 sign/s 302 verify/s ratio .84
(so now you know why everybody wanted RSA :-)!
But don't believe a HSM (crypto hardware) will really improve DNSSEC
performances with common settings. The interest of a HSM is its key
store and obviously this is only for the signing side.
Since you mentioned hardware crypto, one thing on my wishlist:
BIND 9 support for using hardware crypto for both zone signing
and signature verifications.
=> you should get benefits from the crypto hardware for all usual
crypto operations, including random generation.
I think I recall someone (Nominet?) recently doing some work on a
version of dnssec-signzone that uses a HSM.
=> there is some HSM support in the (forthcoming) version 9.6
But I've not yet
heard anyone talking about modifying named to use hardware crypto
to verify DNSSEC signatures -- for use as a high performance validating
resolver. Granted the need for a really high performance validator
is not a pressing concern until there is much more widespread
deployment of signed zones. But sooner or later it will be ..
=> to avoid disappointments, have you profiled such a validating resolver?
Our current DNS hardware consists of a number of Sun UltraSPARC-T1
based systems -- which have multiple on-chip crypto hardware
modules (modular arithmetic units).
=> I know it only from Sun announces...
All we need is version of BIND that can use the openssl-engine pkcs11
interfaces to access them!
=> if you are an ISC supported customer you know the next step...
Regards
Francis.Dupont at fdupont.fr
More information about the bind-workers
mailing list