Home / Industry

DNSSEC FUD Buster: DNSSEC Slows the Internet?

.ORG, The Public Interest Registry, DNSSEC FUD Buster series continues this month with a piece authored by Andrew Sullivan. Andrew works for Shinkuro, an organization that interests and expertise lie in secure Internet capabilities. This organization also provides leadership in community activities such as the Domain Name System Security Extensions (DNSSEC). He is currently the co-chair of the DNS Extensions working group at the IETF. Prior to joining Shinkuro, Andrew was Director of Name Services at Afilias Limited.

Well, strictly speaking, it's true. It's just not that big a deal.

Currently, when you perform a DNS lookup, you usually send a very small request to your ISP's DNS server. You get back a response that includes the actual answer, and also possibly some additional information you might like to know in order to make further queries. These queries and, usually, their answers are tiny — they're for the most part much smaller than even the small "icon" graphics from a well-run website. Also, they use UDP, which is much less expensive in network bandwidth than is TCP (which is what common protocols like HTTP or SMTP use). "Plain" DNS is very, very, very cheap.

DNSSEC adds signatures to all parts of the response that form the answer. These signatures represent an apparently huge increase in the amount of data in the response (at least an order of magnitude). Since responses are bigger, they'll take more time to send, and they'll use more network bandwidth. But let's be clear: we are talking about moving from very, very, very cheap to merely very, very cheap. Compared to the overall Internet traffic — even compared to the number of "garbage" queries sent to the root name servers every day — the increase is tiny.

It's also true that validating responses adds a step that was never there before. Obviously, that adds time. But DNSSEC is designed on purpose to make validation fast. It is specified so that signing time may take longer, so that validation is very inexpensive (computationally).
So, DNSSEC will in some cases slow resolution down in two ways: it adds additional data, which means more network traffic, and therefore more network congestion; and it adds an additional step (validation) on top of the resolution done today.

Over the long run, the "more traffic" issue has to be addressed by additional bandwidth. The amount is measurable, however, and therefore the additional burden can be calculated as part of any infrastructure plan. The "additional step" issue is a trade-off. All increases in security bring costs along with the security benefit. This cost is partly paid in additional processing time during resolution. The benefit is that you don't go to Dr Evil's site when you're trying to check your bank balance or pay your taxes.

So, the short version is that, yes, there is a tiny and in some cases perceptible addition of time to the interval between when one asks for a DNS answer and when one actually gets it. The time is due to the additional network traffic and the validation step. The additional traffic is a tiny increase compared to all the other traffic on the Internet. The additional time entailed by validation is also a tiny amount. We feel this is an insignificant cost to reap the benefit of being sure that the answer you get is the right one.

About PIR

PIR

Public Interest Registry is a nonprofit corporation that operates the .org top-level domain – the world's third largest "generic" top-level domain with more than 10 million domain names registered worldwide. As an advocate for collaboration, safety and security on the Internet, Public Interest Registry's mission is to empower the global noncommercial community to use the Internet more effectively, and to take a leadership position among Internet stakeholders on policy and other issues relating to the domain naming system. (Learn More)

Related topics: Cyberattack, Cybercrime, DNS, DNS Security, Domain Names, Registry Services, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Related Blogs

The ANA and Hand-Wringing

A New Way to Value Registry Business

Do You .RUN?

Is racing.com a Half-Million Dollar Mistake for Racing Victoria?

Call for ICANN to Educate and Not Mislead GAC

Related News

Topics

Industry Updates – Sponsored Posts

.Host Announces Top Global Players As Pioneer Partners

Public Interest Registry Releases Bi-Annual Report, .Org Domain Registrations Pass 10.4 Million

Public Interest Registry to Speak About Upcoming Launch of .ngo and .ong Domains for NPOs

Landrush Opens for .Website, .Press and .Host

Afilias Announces General Availability of .BLACK Top-Level Domain

Nominum Announces Future Ready DNS

Last Lap of .WEBSITE, .PRESS and .HOST Sunrise

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New .ORGANIC Domain Sunrise Begins, Creating Verified Space 
for Organic Products and Services

Non-English "IDN Email" Addresses Are Finally Working!

TLD Registry to Speak at Inaugural World Domain Day India

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Independent Endorsement of Dot Chinese Online & Dot Chinese Website

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

Introducing the New .ORGANIC Domain: A Trusted, Credible Space for Organic Products on the Web

.WANG - 15,000 Registrations on Day One of General Availability

Dot Brand: Why Your Brand Needs Its Own Top-Level Domain

Sponsored Topics