Signing the First Root – “L”
Last September a study was conducted regarding the signing of the L-Root. The study, “Root Zone Augmentation and Impact Analysis” examined the impact the signing of the root would have on BIND and NSD platforms.
NSD 3.2.1 at 5,000 queries per second in a signed zone of 1 million names dropped 22% of UDP traffic.
Similarly, on a zone of 1 million names at 5,000 queries per second in a signed zone of 1 million names BIND 9.6.0 P1 will fail to answer 81% of the inbound DNS queries. It should be reported that BIND, version 10 should address some of the speed inefficiencies as identified through this study.
Outside of the specific study regarding the impact on signing the L-Root, the other authoritative high performance name server platform is from CommunityDNS. Similar testing found CommunityDNS’ platform at 50,000 queries per second on a zone size of 1million DNSSEC signed names will fail to answer 4.5% of inbound queries. Much of the loss attributed to normal UDP congestion.
On the 27th of January the L-Root was signed. According to the “DURZ Data Analysis” report the following traffic behavior was noticed after the signing of the L-Root.
Increase in UDP packet size after signing the "L" Root.
An approximate 27 fold increase in TCP packets due to the signing of the "L" Root.
With all of the root servers now signed, operational questions remain, such as:
- How will site owners manage their keys?
- How will registrars manage their keys?
- Will domain name owners be able to transfer their keys directly to the registry?
- Is there a rollback plan?
- Have operators provisioned for the additional bandwidth requirements associated with DNSSEC?
Filed under: Community DNS, CommunityDNS, DNS, DNSSec | Leave a Comment
Tags: Community DNS, CommunityDNS, DNS, DNSSec
