[afnog] Root Zone DNSSEC Deployment Technical Status Update

Joe Abley joe.abley at icann.org
Wed May 19 00:33:07 UTC 2010


Hi Seun,

On 2010-05-18, at 19:43, Oluwaseun Ojedeji wrote:

> I have been following this update and was wondering....Well i may be wrong as i may not have enough knowledge right now about DNSSEC. But what i can tell is that anything in networking that has to do with SEC(security) in it like IPSEC may increase the data size in one way or the other. Is there any significant impact that this upgrades will have on our up/down link speed. We are trying to utilise our bandwidth in the best possible way we can. 
> I also see that this has to do with root servers so may i assume that its actually the headache of those that have DNS server that we use...As in..
> End user(client) >>DNS server(ISP) >> root DNS ?

It's a fair assessment that adding signatures to things tends to make them bigger. The overhead in a priming query, for example (the first query a recursive resolver sends to a root server) is over 60%:

[octopus:~]% dig @L.ROOT-SERVERS.NET . NS +nodnssec | grep 'MSG SIZE'
;; MSG SIZE  rcvd: 492
[octopus:~]% dig @L.ROOT-SERVERS.NET . NS +dnssec | grep 'MSG SIZE' 
;; MSG SIZE  rcvd: 801
[octopus:~]%

Note that only a tiny handful of the $BIGNUM zones on the Internet are signed at present, however, so the practical increase in traffic due to DNSSEC today (or in July) will be small.

If you want to estimate the potential impact in the far distant future when all zones are signed, you could always see how much DNS traffic you exchange with the world today and determine what the impact would be if that traffic doubled (in terms of bits sent as responses).

I imagine that DNS is a pretty small fraction of your total traffic, and even if it quadrupled it'd still be very small compared to all the web and spam. But I would certainly be interested to hear your numbers.


Joe


More information about the afnog mailing list