The first step in getting a full picture of the impact DNSSEC will have on current operations is to lay a basis for measuring and discussing DNS performance. This presentation from 2004 meeting on DNSSEC deployment spells out the need for a unified metrology for DNS and DNSSEC.
NIST has developed a set of tools to make it possible for an organization to conduct their own DNS/DNSSEC benchmarking experiements. This includes a set of tools, and a set of sample data (zone files and traffic models) that could be used. Instead of using these data files, however, an organization might be interested in using their own zone and traffic load to see how deploying DNSSEC will impact their current operations.
The following steps should be conducted to perform a basic analysis:
There are two ways of obtaining test data. The easiest to is take an operating zone's file and query log. The NIST querysim tool (below) contains a sample script that can take a BIND query log file and convert it into a querysim imput file.
The other option is to generate the data files. Zone files can either be generated, or use one from the anonymized collection below. These zone files are actual operating zones with hostnames and IP address obscured for privacy.
A collection of real tlds anonymized to obscure real hostnames and IP addresses.
To generate a traffic stream, the zone file and a traffic model is needed. The NIST trafficGen traffic generator tool takes these data files and produces a text file that can be used with querysim to produce a traffic query load.
NIST DNS Traffic Stream Generator Beta version - requires Java 1.4.2.
Takes a traffic model (sample included) and a zone file (not included), produces a traffic query stream that can be used with querysim to produces a query load directed at a server. Currently only generates a query load for an authoritative server.
A minimum of two test systems are needed, three if the system used for measurement has an interface in promiscuous mode.
Setting up a test DNS server is beyond the scope of this tutorial. Ideally, the server should be set up in a way that best resembles a operating network. If the test scenario is for authoritative servers, recursion should be turned off, and if DNSSEC is being tested, it should be enabled on the server (if required).
A second system (or two) are needed to set up the test tools - the querysim traffic stream generator and a traffic measurement tool.
querysim v0.9.2 C utility, compiled using RedHat Linux
This tool takes a text input file containing a series of queries to be sent to a DNS server. Each query entry takes the form of:
| TIME | OFFSET | QNAME | QTYPE | FLAGS |
Where QTYPE is any IANA assigned type and FLAGS represent DNSSEC OK bit and/or the Checking Disabled (CD) bit. Included is a sample perl script to convert a BIND query log file into a querysim input file.
Traffic Monitoring Tool Requires libpcap, compiled using RedHat Linux<\p>
Statistics collection tool that uses the packet sniffing library libpcap. Watches DNS traffic (port 53 by default, can be changed) and a particular IP address (a server to monitor). Output is a text file with basic statistics (format found in README).
This is up to the individual organization that is conducting the tests. This process was used to create these statistics for basic authoritative server.
dsc is a system for collecting and exploring statistics from busy DNS servers. It currently has two major components: a collector (uses libpcap) and a presenter. Takes periodic dumps of configurable datasets. Also includes a presentation utility to parse captured datasets.
Contains a collection of zone files with specific errors or problems. Useful for testing DNS/DNSSEC integrity tools and error conditions for various DNS components.
Netperf2DNS performance tool that also checks IPv4 and IPv6 conformance.
Questions or comments should be sent to
proj-dnssec@antd.nist.gov