Costs of DNSSEC Server side (or "zone owner side"): key mgmt, more parent-child interaction, at security apexes also distribution of "trusted keys" (to validating resolvers) Resolver side: tracking trusted keys, and their rollovers (i.e. when an old key is replaced by a new key) Note that the server basically knows what to do, while the validating resolver has an open ended amount of work in finding out where all secure entry points are (i.e. the apex of each secure subtree in the absence of the entire tree being signed) |