[LINK] Is a Cloned Root Server going to be Big Enough? - NO!

Tom Koltai tomk at unwired.com.au
Sun Oct 25 12:20:29 AEDT 2009

Linkers might be interested in the following paper presented by Duane
Wessels and Geoffrey Sisson at last weeks Nanog (47) Conference


Executive Summary below.

A number of developments within the last 12 months promise to bring
changes to the upper layers of the Domain Name System. In combination,
these changes have the potential to radically transform the DNS root
DNS-OARC has, under a contract with ICANN, studied the impact of these
proposed or imminent changes to the root zone.
One of these changes is the increasing deployment of IPv6 in both the
zone and the TLDs. ICANN has been offering AAAA record publication in
the root zone since 2004; however, uptake has been somewhat slow. Five
years later (July 2009), 169 TLDs have AAAA records while the other 111
do not.
Another significant change is the advancing deployment of DNSSEC. At
present, 10 full-production TLDs are signing their zones. The root zone
remains unsigned, though, and DNSSEC-related records have yet to be
to it. However, parties responsible for the management of the root zone
they expect it to be signed by the end of this year.
The final - and perhaps most significant - change addressed by this
study is
the possibility of introducing new gTLDs. ICANN has proposed a new gTLD
program under which the root zone could grow by orders of magnitude.[1]
In this study, we undertake a number of simulations and measurements
BIND and NSD server software and varying zone sizes to better understand
how these changes may affect the performance of, and resource
for, the root DNS server infrastructure. Our analysis looks at five key
that would have an impact on operations: zone size, name server reload
restart times, DNS response latency, inter-nameserver bandwidth
and potential increases in TCP usage.
Our analysis of zone size focuses on memory usage. As expected, we find
that memory requirements increase linearly with zone size. We also find
that, for a given number of TLDs, signing the zone increases the memory
requirement by a factor of 1.5-2. Additionally, we find that 32 GB of
memory is insufficient for serving a very large root zone (e.g., a
signed zone
with 10 million TLDs), particularly when using NSD.
The response latency measurements find negligible increases (typically
than one millisecond) with NSD. For BIND (9.6.0-P1), however, we find
response time degradation with a large signed root zone (e.g., greater
100,000 TLDs). With a 100,000 TLD signed zone, BIND drops nearly 30%
of all queries sent at a rate of 5000 queries per second. With a one
TLD signed zone, BIND drops over 80%. NSD also begins to show some
signs of stress with a very large (4.5 million TLD) zone where over 40%
queries are dropped.
The reload and restart times measurements are relatively straightforward
and contain no real surprises. Loading and reloading times are generally
to zone size. Loading a 1 million TLD signed zone takes 190 seconds
with BIND and 227 seconds with NSD.
To measure inter-nameserver bandwidth we performed a number of zone
transfers between master and slave nameservers. We tested both standard
(AXFR) and incremental (IXFR) zone transfer mechanisms. One interesting
result of the AXFR test is that an NSD master utilizes 20-30% less
than a BIND master to send a given zone. To assess the duration of a
zone transfer under wide-area network conditions, we introduced
packet loss and delays. A zone transfer experiencing 1% packet loss
more than 2.5 times longer than with no packet loss for any given tested
To explore increased TCP at root servers, we replayed real query streams
to servers with signed zones. We found that between 0.3% and 0.8% of
responses to UDP queries would be truncated, likely causing most these
clients to fall back to TCP. This means that root servers can expect to
at least an order of magnitude increase (e.g., from 5 to 50 per second)
queries over TCP when the root zone is signed. Additionally, we found
a large (e.g., one million TLD) signed root zone will likely result in a
higher proportion of TCP queries than a signed version of the current
Finally, we examined data for the .org TLD from before and after DNSSEC
was deployed and found evidence suggesting that the actual increase in
queries could be significantly higher than can be forecast by evaluating
current DNS traffic patterns.

No viruses found in this outgoing message
Scanned by iolo AntiVirus

More information about the Link mailing list