Chapter: 4 The Domain Name System: Technology Prospects

DNSSEC could also cause more timeouts that would degrade the quality of service for end users. 14 DNSSEC also introduces more complexity to the DNS and adds to the administrative requirements for managing the security mechanism. 15 For instance, the administrator of a large zone would probably experience great difficulty in re-signing his or her entire zone daily. This would require dividing the task among many smaller parallel operations that could be managed with software—a solution that is feasible given the DNSSEC design (that makes signatures within a zone remain largely independent), but would not be without additional costs. Because public keys for the root zone will need to be replaced with new ones on a regular basis, key management for the digital signatures presents another problem for DNSSEC. In particular, the interaction of key revocation with global caching and the distribution of copies of a new public root key remain unresolved,