kzonecheck performance penalty with passive keys
I noticed that for zones with many signatures (>= ~100'000) kzonecheck can perform noticeably slower the more passive zone signing keys are included in the DNSKEY RR.
See below for how I signed and validated a sample zone foo. *1)
Validating a zone which has a single ZSK in a DNSKEY RR is always fast:
testing zsk-active Kfoo.+013+00084
real 1m8.325s
user 1m7.822s
sys 0m0.451sIf we add a passive ZSK then validation time can almost double:
testing zsk-active Kfoo.+013+00084, zsk-passive Kfoo.+013+39002
real 1m46.853s
user 1m46.428s
sys 0m0.402sbut not always:
testing zsk-active Kfoo.+013+00084, zsk-passive Kfoo.+013+39268
real 1m2.757s
user 1m2.362s
sys 0m0.388sIf we add a second passive ZSK then validation time can increase again:
testing zsk-active Kfoo.+013+30422, zsk-passive Kfoo.+013+14191, Kfoo.+013+22833
real 2m36.256s
user 2m35.723s
sys 0m0.454sagain, but not always:
testing zsk-active Kfoo.+013+39218, zsk-passive Kfoo.+013+14191, Kfoo.+013+22833
real 1m3.242s
user 1m2.817s
sys 0m0.410sIt looks like all ZSK keys in the DNSKEY RR are tried to verify the signatures until one is found which succeeds. It now depends on the internal DNSKEY RR data structure whether the validation process is fast or slow.
If this assumption is correct, would it be possible to select the correct key before attempting to validate a signature?
*1) sign and validate sample zone foo.
# Create keys
# KSK
dnssec-keygen -a ECDSAP256SHA256 -f KSK foo.
Generating key pair.
Kfoo.+013+59071
# ZSK
dnssec-keygen -a ECDSAP256SHA256 foo.
Generating key pair.
Kfoo.+013+29053
# Add keys to foo.zone using an editor
$INCLUDE Kfoo.+013+59071.key
$INCLUDE Kfoo.+013+29053.key
# sign zone
dnssec-signzone -o foo. -P -t -x foo.zone Kfoo.+013+59071.private Kfoo.+013+29053.private
# optional, but I like it "grep"able
named-compilezone -q -i none -k ignore -n ignore -F text -D -o foo.zone.check foo. foo.zone.signed
# verify zone
time kzonecheck -o foo. foo.zone.check