Speaker
Description
DNSSEC online signing is computationally expensive. In general, DNSSEC signature cache can reduce the overhead of generating signature on the fly. However, signature caching will not be effective for responses of wildcard record in current Compact Denial of Existence implementations, because query names can be unique and valid with wildcard expansion. In this talk, we present a new method of signing wildcard response for Compact Denial of Existence, by using a fabricated NSEC record which is smaller than the real NSEC range but is still large enough to cover a set of non-existent records. We show that this type of wildcard response can improve the signature cache hit ratio for some DNS zones, reducing query latency and improve server performance. We verify that this new type of wildcard responses is compatible with DNS protocol and is accepted by common DNS recursive implementations like BIND and Unbound.
| Talk duration | 20 Minutes (+5 for Q&A) |
|---|
