Home / Industry

DNSSEC FUD Buster: DNSSEC Slows the Internet?

.ORG, The Public Interest Registry, DNSSEC FUD Buster series continues this month with a piece authored by Andrew Sullivan. Andrew works for Shinkuro, an organization that interests and expertise lie in secure Internet capabilities. This organization also provides leadership in community activities such as the Domain Name System Security Extensions (DNSSEC). He is currently the co-chair of the DNS Extensions working group at the IETF. Prior to joining Shinkuro, Andrew was Director of Name Services at Afilias Limited.

Well, strictly speaking, it's true. It's just not that big a deal.

Currently, when you perform a DNS lookup, you usually send a very small request to your ISP's DNS server. You get back a response that includes the actual answer, and also possibly some additional information you might like to know in order to make further queries. These queries and, usually, their answers are tiny — they're for the most part much smaller than even the small "icon" graphics from a well-run website. Also, they use UDP, which is much less expensive in network bandwidth than is TCP (which is what common protocols like HTTP or SMTP use). "Plain" DNS is very, very, very cheap.

DNSSEC adds signatures to all parts of the response that form the answer. These signatures represent an apparently huge increase in the amount of data in the response (at least an order of magnitude). Since responses are bigger, they'll take more time to send, and they'll use more network bandwidth. But let's be clear: we are talking about moving from very, very, very cheap to merely very, very cheap. Compared to the overall Internet traffic — even compared to the number of "garbage" queries sent to the root name servers every day — the increase is tiny.

It's also true that validating responses adds a step that was never there before. Obviously, that adds time. But DNSSEC is designed on purpose to make validation fast. It is specified so that signing time may take longer, so that validation is very inexpensive (computationally).
So, DNSSEC will in some cases slow resolution down in two ways: it adds additional data, which means more network traffic, and therefore more network congestion; and it adds an additional step (validation) on top of the resolution done today.

Over the long run, the "more traffic" issue has to be addressed by additional bandwidth. The amount is measurable, however, and therefore the additional burden can be calculated as part of any infrastructure plan. The "additional step" issue is a trade-off. All increases in security bring costs along with the security benefit. This cost is partly paid in additional processing time during resolution. The benefit is that you don't go to Dr Evil's site when you're trying to check your bank balance or pay your taxes.

So, the short version is that, yes, there is a tiny and in some cases perceptible addition of time to the interval between when one asks for a DNS answer and when one actually gets it. The time is due to the additional network traffic and the validation step. The additional traffic is a tiny increase compared to all the other traffic on the Internet. The additional time entailed by validation is also a tiny amount. We feel this is an insignificant cost to reap the benefit of being sure that the answer you get is the right one.

About PIR

PIR

Public Interest Registry is a nonprofit corporation that operates the .org top-level domain – the world's third largest "generic" top-level domain with more than 10 million domain names registered worldwide. As an advocate for collaboration, safety and security on the Internet, Public Interest Registry's mission is to empower the global noncommercial community to use the Internet more effectively, and to take a leadership position among Internet stakeholders on policy and other issues relating to the domain naming system. Learn More

Related topics: Cyberattack, Cybercrime, DNS, DNS Security, Domain Names, Registry Services, Security, Top-Level Domains

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Afilias Announces Relaunch of .GREEN TLD

Encrypting Inbound and Outbound Email Connections with PowerMTA

New .PROMO Domain Sunrise Period Begins Today

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

Minds + Machines Group Announces Outsourcing Agreements, Web Address Change

.STORE Opens its Doors to Brands

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Startup on .TECH New Top-Level Domain Receives $6.7 Million in Funding

What Holds Firms Back from Choosing Cloud-Based External DNS?

United States Court Has Granted an Interim Relief for DCA Trust on .Africa gTLD

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

February Biggest Month to Date for Radix, Over 750K Domain Registrations

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Radix & WHMCS Offer Free .HOST Domains to All WHMCS Customers

New .BET Domain Now Available to the Public

Radix and SnapNames Announce Exclusive Partnership

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

Radix Gives Its TLD .SPACE a Makeover

The Framework for Resilient Cybersecurity (Webinar)

New .PET Domain Available to the Public

Sponsored Topics

Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Afilias

DNS Security

Sponsored by
Afilias
Verisign

Security

Sponsored by
Verisign
Port25

Email

Sponsored by
Port25