[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    [dns-operations] Measuring DNSSEC Performance.
From:       rdobbins () arbor ! net (Dobbins, Roland)
Date:       2013-05-12 5:06:36
Message-ID: 5D66F43B-F016-4B9D-891C-B8C0ADE3E782 () arbor ! net
[Download RAW message or body]


from <http://www.potaroo.net/ispcol/2013-05/dnssec-performance.html>:

-----

So the overall result is that if you DNSSEC sign a domain today then some 70% of the \
received A queries will request DNSSEC additional information, and the traffic level \
in responses will rise by a factor of 4.5 over traffic levels for an unsigned domain. \
If every client used DNSSEC validating resolvers then the total traffic levels would \
increase by a factor of up to 13 over levels associated with an unsigned domain. \
Obviously, once more, caching of the DNSSEC zone values would have some impact on \
this number, and a more accurate working projection is that traffic volumes would \
increase by a factor of between 6 and 13, depending on the zone?s key lifetime and \
query activity.

For the invalidly-signed domain name the traffic levels in the responses have \
increased by a factor of 5.5. When the DNSSEC-signatures cannot be validated the \
client will repeat the query on any alternate DNS resolvers that have been \
configured. One way to look at this is to compare it to the validly signed domain. \
DNSSEC-invalidity is observed to increase the total response traffic volume by 20%. \
But this condition is being encountered by at most 4% of clients. If every client was \
using resolvers that performed DNSSEC validation then the consequence of key \
expiration, or any other event that caused the signature information be become \
invalid, would increase the traffic levels by 500%. In other words, the total traffic \
volume would be 6 times greater than that of a validly signed domain, or some 96 \
times higher than that of a validly signed domain, when using a single name server in \
the case where none of the responses are cached in DNS resolvers.

-----

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton


[prev in list] [next in list] [prev in thread] [next in thread]