.ORG, The Public Interest Registry, DNSSEC FUD Buster series continues this month with a piece authored by Andrew Sullivan. Andrew works for Shinkuro, an organization that interests and expertise lie in secure Internet capabilities. This organization also provides leadership in community activities such as the Domain Name System Security Extensions (DNSSEC). He is currently the co-chair of the DNS Extensions working group at the IETF. Prior to joining Shinkuro, Andrew was Director of Name Services at Afilias Limited.

Well, strictly speaking, it’s true. It’s just not that big a deal.

Currently, when you perform a DNS lookup, you usually send a very small request to your ISP’s DNS server. You get back a response that includes the actual answer, and also possibly some additional information you might like to know in order to make further queries. These queries and, usually, their answers are tiny—they’re for the most part much smaller than even the small “icon” graphics from a well-run website. Also, they use UDP, which is much less expensive in network bandwidth than is TCP (which is what common protocols like HTTP or SMTP use). “Plain” DNS is very, very, very cheap.

DNSSEC adds signatures to all parts of the response that form the answer. These signatures represent an apparently huge increase in the amount of data in the response (at least an order of magnitude). Since responses are bigger, they’ll take more time to send, and they’ll use more network bandwidth. But let’s be clear: we are talking about moving from very, very, very cheap to merely very, very cheap. Compared to the overall Internet traffic—even compared to the number of “garbage” queries sent to the root name servers every day—the increase is tiny.

It’s also true that validating responses adds a step that was never there before. Obviously, that adds time. But DNSSEC is designed on purpose to make validation fast. It is specified so that signing time may take longer, so that validation is very inexpensive (computationally).
So, DNSSEC will in some cases slow resolution down in two ways: it adds additional data, which means more network traffic, and therefore more network congestion; and it adds an additional step (validation) on top of the resolution done today.

Over the long run, the “more traffic” issue has to be addressed by additional bandwidth. The amount is measurable, however, and therefore the additional burden can be calculated as part of any infrastructure plan. The “additional step” issue is a trade-off. All increases in security bring costs along with the security benefit. This cost is partly paid in additional processing time during resolution. The benefit is that you don’t go to Dr Evil’s site when you’re trying to check your bank balance or pay your taxes.

So, the short version is that, yes, there is a tiny and in some cases perceptible addition of time to the interval between when one asks for a DNS answer and when one actually gets it. The time is due to the additional network traffic and the validation step. The additional traffic is a tiny increase compared to all the other traffic on the Internet. The additional time entailed by validation is also a tiny amount. We feel this is an insignificant cost to reap the benefit of being sure that the answer you get is the right one.