kzonecheck performance penalty with passive keys
I noticed that for zones with many signatures (>= ~100'000) kzonecheck can perform noticeably slower the more passive zone signing keys are included in the DNSKEY RR.
See below for how I signed and validated a sample zone foo. *1)
Validating a zone which has a single ZSK in a DNSKEY RR is always fast:
testing zsk-active Kfoo.+013+00084
real 1m8.325s user 1m7.822s sys 0m0.451s
If we add a passive ZSK then validation time can almost double:
testing zsk-active Kfoo.+013+00084, zsk-passive Kfoo.+013+39002
real 1m46.853s user 1m46.428s sys 0m0.402s
but not always:
testing zsk-active Kfoo.+013+00084, zsk-passive Kfoo.+013+39268
real 1m2.757s user 1m2.362s sys 0m0.388s
If we add a second passive ZSK then validation time can increase again:
testing zsk-active Kfoo.+013+30422, zsk-passive Kfoo.+013+14191, Kfoo.+013+22833
real 2m36.256s user 2m35.723s sys 0m0.454s
again, but not always:
testing zsk-active Kfoo.+013+39218, zsk-passive Kfoo.+013+14191, Kfoo.+013+22833
real 1m3.242s user 1m2.817s sys 0m0.410s
It looks like all ZSK keys in the DNSKEY RR are tried to verify the signatures until one is found which succeeds. It now depends on the internal DNSKEY RR data structure whether the validation process is fast or slow.
If this assumption is correct, would it be possible to select the correct key before attempting to validate a signature?
*1) sign and validate sample zone foo.
# Create keys # KSK dnssec-keygen -a ECDSAP256SHA256 -f KSK foo. Generating key pair. Kfoo.+013+59071 # ZSK dnssec-keygen -a ECDSAP256SHA256 foo. Generating key pair. Kfoo.+013+29053 # Add keys to foo.zone using an editor $INCLUDE Kfoo.+013+59071.key $INCLUDE Kfoo.+013+29053.key # sign zone dnssec-signzone -o foo. -P -t -x foo.zone Kfoo.+013+59071.private Kfoo.+013+29053.private # optional, but I like it "grep"able named-compilezone -q -i none -k ignore -n ignore -F text -D -o foo.zone.check foo. foo.zone.signed # verify zone time kzonecheck -o foo. foo.zone.check