Note: This page is still under construction
and will be updated with new results and information.
DNSSEC and its Impact on DNS Performance
One of the roadblocks to deployment of
DNSSEC is the concerns over the performance impact DNSSEC will have on current
operations. DNSSEC will require both servers and resolvers/validators to do
more work, but the projected impact depends on where the particular component
is in relation to the DNS. Because of how DNSSEC works, validating resolvers
perform most of the computationally expensive work (signature verification)
during operation. Authoritative servers do not generate signatures during
runtime (for the most part), but will be constructing larger replies to queries
(especially negative replies).
The following is broken down to the most
likely impact of DNSSEC depending on the particular role of the DNS software in
question. First, we will look at the performance impact most likely seen for
Authoritative servers, then caches (recursive name servers) and finally
validators (resolvers that may know how to do DNSSEC).
Brief Overview of DNSSEC Impact on
Authoritative Name Servers
For authoritative DNS name servers, the
performance impact of DNSSEC will come from increased memory and CPU usage on
name servers, and an increase in bandwidth usage by DNS. If a name server has
both authoritative information, and a cache (that is, it also handles recursive
queries on behalf of stub resolvers), the section on performance impact on
caching name servers will also apply.
Below is a brief estimate of the possible
impact of DNSSEC on authoritative name servers. Some more exact measurements
are available for some real world zones, including the root, performed at RIPE (pdf file). However, both
the RIPE report and the stats below may not reflect your particular zone and configuration,
but can serve as a rough guide. Tools are available to
conduct more customized performance tests.
Memory Usage of Popular DNS authoritative Server Implementations
Server Load Time of Popular DNS authoritative Server Implementations
Bandwidth Usage of Popular DNS authoritative Server Implementations
Brief Overview of DNSSEC Impact on Caching
Name Servers
Caching name servers (sometimes referred to
as recursive name servers) will see the biggest performance impact from DNSSEC.
Caching servers will see a growth in the size of its cache as well as see bandwidth
impacts similar to those seen by authoritative servers. If the caching name
server performs DNSSEC validation on behalf of clients, it will also see a
growth in CPU time dedicated to DNS operations.
Cache Growth for DNSSEC vs. DNS
The most noticeable impact for caching name
servers using DNSSEC will be in the growth of the cache size. The exact
requirements for a particular server depend on the traffic it services as well
as the TTL and size of incoming responses. Those wishing to do a
more customized test using a particular network scenario can find tools here.
Overview of DNSSEC Impact on
Validators
The performance impact of DNSSEC on
validators has only recently started. It is a fact that DNSSEC impact on
validators is greater (resource-wise) than for authoritative servers. Like in
caching servers which usually have a validator if it performs DNSSEC operations
on behalf of DNSSEC-unaware stub resolvers, the impact of DNSSEC on validators
depends on the traffic the validator sees as well as the computational power of
the system.
Some preliminary work presented at the 65th
IETF DNSOP working group meeting shows that under certain scenarios BIND 9.3.2
incurred only a 2% performance hit (queries/second) when validating as
opposed to traditional DNS response processing.
Existing Work on the DNS and the
Performance Impact of DNSSEC
Enterprise level
"Exploring
the Overhead of DNSSEC" (PDF file)
Uses real traffic data and projected
calculations to measure the impact of DNSSEC on caching DNS servers for a large
university.
Questions or comments should be sent to
proj-dnssec@antd.nist.gov