[tor-relays] Let's increase the amount of exit relays doing DNSSEC validation
nusenu
nusenu-lists at riseup.net
Thu Apr 12 12:23:00 UTC 2018
Dhalgren Tor:
> Respectfully, I disagree.
>
https://lists.torproject.org/pipermail/tor-relays/2015-October/007904.html wrote:
> Spent a few minutes activating the DNSSEC trust-anchor for 'unbound'.
>
> Ran 'dig' on a few signed domains and observed that queries that took
> under 50 milliseconds without went to 2000 milliseconds with.
>
> My attitude toward DNSSEC has deteriorated steadily over time and this
> finishes it off for me. It's simply not worth the cost. Many serious
> folk have commented in detail on what a horror show it is.
>
> Disabled it on the exit.
>
> Without DNSSEC, 'unbound' has been reporting:
>
> server stats for thread 0: 1296326 queries, 454942 answers from cache,
> 841384 recursions, 0 prefetch
> server stats for thread 0: requestlist max 112 avg 28.1553 exceeded 0 jostled 0
> histogram of recursion processing times
> [25%]=0.00737672 median[50%]=0.0492239 [75%]=0.144125
I'll do some comparisons over some weeks or months and come back to this
once I have some more data to show.
--
https://mastodon.social/@nusenu
twitter: @nusenu_
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180412/8677c52d/attachment.sig>
More information about the tor-relays
mailing list