[LINK] Is a Cloned Root Server going to be Big Enough? - NO!

Tom Koltai tomk at unwired.com.au
Sun Oct 25 12:20:29 AEDT 2009


Linkers might be interested in the following paper presented by Duane
Wessels and Geoffrey Sisson at last weeks Nanog (47) Conference

https://www.dns-oarc.net/files/rzaia/rzaia_report.pdf

Executive Summary below.

A number of developments within the last 12 months promise to bring
changes to the upper layers of the Domain Name System. In combination,
these changes have the potential to radically transform the DNS root
zone.
DNS-OARC has, under a contract with ICANN, studied the impact of these
proposed or imminent changes to the root zone.
One of these changes is the increasing deployment of IPv6 in both the
root
zone and the TLDs. ICANN has been offering AAAA record publication in
the root zone since 2004; however, uptake has been somewhat slow. Five
years later (July 2009), 169 TLDs have AAAA records while the other 111
do not.
Another significant change is the advancing deployment of DNSSEC. At
present, 10 full-production TLDs are signing their zones. The root zone
remains unsigned, though, and DNSSEC-related records have yet to be
added
to it. However, parties responsible for the management of the root zone
say
they expect it to be signed by the end of this year.
The final - and perhaps most significant - change addressed by this
study is
the possibility of introducing new gTLDs. ICANN has proposed a new gTLD
program under which the root zone could grow by orders of magnitude.[1]
In this study, we undertake a number of simulations and measurements
with
BIND and NSD server software and varying zone sizes to better understand
how these changes may affect the performance of, and resource
requirements
for, the root DNS server infrastructure. Our analysis looks at five key
areas
that would have an impact on operations: zone size, name server reload
and
restart times, DNS response latency, inter-nameserver bandwidth
utilization,
and potential increases in TCP usage.
Our analysis of zone size focuses on memory usage. As expected, we find
that memory requirements increase linearly with zone size. We also find
that, for a given number of TLDs, signing the zone increases the memory
requirement by a factor of 1.5-2. Additionally, we find that 32 GB of
memory is insufficient for serving a very large root zone (e.g., a
signed zone
with 10 million TLDs), particularly when using NSD.
The response latency measurements find negligible increases (typically
less
than one millisecond) with NSD. For BIND (9.6.0-P1), however, we find
some
response time degradation with a large signed root zone (e.g., greater
than
100,000 TLDs). With a 100,000 TLD signed zone, BIND drops nearly 30%
of all queries sent at a rate of 5000 queries per second. With a one
million
TLD signed zone, BIND drops over 80%. NSD also begins to show some
signs of stress with a very large (4.5 million TLD) zone where over 40%
of
queries are dropped.
The reload and restart times measurements are relatively straightforward
and contain no real surprises. Loading and reloading times are generally
proportional
to zone size. Loading a 1 million TLD signed zone takes 190 seconds
with BIND and 227 seconds with NSD.
To measure inter-nameserver bandwidth we performed a number of zone
transfers between master and slave nameservers. We tested both standard
(AXFR) and incremental (IXFR) zone transfer mechanisms. One interesting
result of the AXFR test is that an NSD master utilizes 20-30% less
bandwidth
than a BIND master to send a given zone. To assess the duration of a
zone transfer under wide-area network conditions, we introduced
simulated
packet loss and delays. A zone transfer experiencing 1% packet loss
takes
more than 2.5 times longer than with no packet loss for any given tested
latency.
To explore increased TCP at root servers, we replayed real query streams
to servers with signed zones. We found that between 0.3% and 0.8% of
responses to UDP queries would be truncated, likely causing most these
clients to fall back to TCP. This means that root servers can expect to
see
at least an order of magnitude increase (e.g., from 5 to 50 per second)
in
queries over TCP when the root zone is signed. Additionally, we found
that
a large (e.g., one million TLD) signed root zone will likely result in a
slightly
higher proportion of TCP queries than a signed version of the current
one.
Finally, we examined data for the .org TLD from before and after DNSSEC
was deployed and found evidence suggesting that the actual increase in
TCPbased
queries could be significantly higher than can be forecast by evaluating
current DNS traffic patterns.



_______________________________________
No viruses found in this outgoing message
Scanned by iolo AntiVirus 1.5.6.4
http://www.iolo.com




More information about the Link mailing list