This page is under construction.
How many Mbps of traffic are required to overload a DNS server's CPU,
when an attacker maliciously chooses traffic to create as much CPU load as possible?
This page is intended to report the results of publicly verifiable
against (1) DNSSEC servers and (2) DNSCurve servers.
Some initial notes:
DNSSEC was designed to offload all cryptographic work from busy servers.
However, DNSSEC makes DNS databases several times larger,
decreasing the effectiveness of server caches.
Furthermore, negative DNSSEC responses require extensive on-line computation.
DNSCurve keeps databases small,
and does not require any special handling for negative responses,
but requires some cryptographic work for every packet.
This is version 2009.07.06 of the cpu.html web page.