Note: This page is still under construction and will be updated with new results and information.
One of the roadblocks to deployment of DNSSEC is the concerns over the performance impact DNSSEC will have on current operations. DNSSEC will require both servers and resolvers/validators to do more work, but the projected impact depends on where the particular component is in relation to the DNS. Because of how DNSSEC works, validating resolvers perform most of the computationally expensive work (signature verification) during operation. Authoritative servers do not generate signatures during runtime (for the most part), but will be constructing larger replies to queries (especially negative replies).
The following is broken down to the most likely impact of DNSSEC depending on the particular role of the DNS software in question. First, we will look at the performance impact most likely seen for Authoritative servers, then caches (recursive name servers) and finally validators (resolvers that may know how to do DNSSEC).
For authoritative DNS name servers, the performance impact of DNSSEC will come from increased memory and CPU usage on name servers, and an increase in bandwidth usage by DNS. If a name server has both authoritative information, and a cache (that is, it also handles recursive queries on behalf of stub resolvers), the section on performance impact on caching name servers will also apply.
Below is a brief estimate of the possible impact of DNSSEC on authoritative name servers. Some more exact measurements are available for some real world zones, including the root, performed at RIPE (pdf file). However, both the RIPE report and the stats below may not reflect your particular zone and configuration, but can serve as a rough guide. Tools are available to conduct more customized performance tests.
Caching name servers (sometimes referred to as recursive name servers) will see the biggest performance impact from DNSSEC. Caching servers will see a growth in the size of its cache as well as see bandwidth impacts similar to those seen by authoritative servers. If the caching name server performs DNSSEC validation on behalf of clients, it will also see a growth in CPU time dedicated to DNS operations.
The most noticeable impact for caching name servers using DNSSEC will be in the growth of the cache size. The exact requirements for a particular server depend on the traffic it services as well as the TTL and size of incoming responses. Those wishing to do a more customized test using a particular network scenario can find tools here.
The performance impact of DNSSEC on validators has only recently started. It is a fact that DNSSEC impact on validators is greater (resource-wise) than for authoritative servers. Like in caching servers which usually have a validator if it performs DNSSEC operations on behalf of DNSSEC-unaware stub resolvers, the impact of DNSSEC on validators depends on the traffic the validator sees as well as the computational power of the system.
Some preliminary work presented at the 65th IETF DNSOP working group meeting shows that under certain scenarios BIND 9.3.2 incurred only a 2% performance hit (queries/second) when validating as opposed to traditional DNS response processing.
"Exploring the Overhead of DNSSEC" (PDF file)
Uses real traffic data and projected calculations to measure the impact of DNSSEC on caching DNS servers for a large university.
Questions
or comments should be sent to the
SNIP admin
NIST
is an agency of the U.S.
Department of Commerce. Privacy
policy / security
notice / accessibility
statement / Disclaimer
/ Freedom of
Information Act (FOIA) / No
Fear Act Data
Date created 9/16/2008. Last updated 9/17/2009.
