Home / Industry

DNSSEC FUD Buster: DNSSEC Slows the Internet?

.ORG, The Public Interest Registry, DNSSEC FUD Buster series continues this month with a piece authored by Andrew Sullivan. Andrew works for Shinkuro, an organization that interests and expertise lie in secure Internet capabilities. This organization also provides leadership in community activities such as the Domain Name System Security Extensions (DNSSEC). He is currently the co-chair of the DNS Extensions working group at the IETF. Prior to joining Shinkuro, Andrew was Director of Name Services at Afilias Limited.

Well, strictly speaking, it's true. It's just not that big a deal.

Currently, when you perform a DNS lookup, you usually send a very small request to your ISP's DNS server. You get back a response that includes the actual answer, and also possibly some additional information you might like to know in order to make further queries. These queries and, usually, their answers are tiny — they're for the most part much smaller than even the small "icon" graphics from a well-run website. Also, they use UDP, which is much less expensive in network bandwidth than is TCP (which is what common protocols like HTTP or SMTP use). "Plain" DNS is very, very, very cheap.

DNSSEC adds signatures to all parts of the response that form the answer. These signatures represent an apparently huge increase in the amount of data in the response (at least an order of magnitude). Since responses are bigger, they'll take more time to send, and they'll use more network bandwidth. But let's be clear: we are talking about moving from very, very, very cheap to merely very, very cheap. Compared to the overall Internet traffic — even compared to the number of "garbage" queries sent to the root name servers every day — the increase is tiny.

It's also true that validating responses adds a step that was never there before. Obviously, that adds time. But DNSSEC is designed on purpose to make validation fast. It is specified so that signing time may take longer, so that validation is very inexpensive (computationally).
So, DNSSEC will in some cases slow resolution down in two ways: it adds additional data, which means more network traffic, and therefore more network congestion; and it adds an additional step (validation) on top of the resolution done today.

Over the long run, the "more traffic" issue has to be addressed by additional bandwidth. The amount is measurable, however, and therefore the additional burden can be calculated as part of any infrastructure plan. The "additional step" issue is a trade-off. All increases in security bring costs along with the security benefit. This cost is partly paid in additional processing time during resolution. The benefit is that you don't go to Dr Evil's site when you're trying to check your bank balance or pay your taxes.

So, the short version is that, yes, there is a tiny and in some cases perceptible addition of time to the interval between when one asks for a DNS answer and when one actually gets it. The time is due to the additional network traffic and the validation step. The additional traffic is a tiny increase compared to all the other traffic on the Internet. The additional time entailed by validation is also a tiny amount. We feel this is an insignificant cost to reap the benefit of being sure that the answer you get is the right one.

About PIR

PIR

Public Interest Registry is a nonprofit corporation that operates the .org top-level domain – the world's third largest "generic" top-level domain with more than 10 million domain names registered worldwide. As an advocate for collaboration, safety and security on the Internet, Public Interest Registry's mission is to empower the global noncommercial community to use the Internet more effectively, and to take a leadership position among Internet stakeholders on policy and other issues relating to the domain naming system. (Learn More)

Related topics: Cyberattack, Cybercrime, DNS, DNS Security, Domain Names, Registry Services, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

ICANN Los Angeles Recap Webinar

TLD Registry Appoints First China General Manager, Mr Jin Wang

TLD Registry Opens China Headquarters in "China's Silicon Valley"

.nyc Goes Public to Brand the Big Apple

pink.host: Breast Cancer Awareness by Bluehost

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Radix Announces the Addition of .tech to Its Portfolio

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Infographic: Where in the World Do Chinese People Live?

Public Interest Registry Seeks Leaders to Serve on its NGO Community Advisory Council

Neustar to Build Multiple Tbps DDoS Mitigation Platform

Auctions Update: MMX Wins .law and .vip

LogicBoxes Partners with I-Content to Implement Vertical Integration for .RICH and .ONL

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

General Availability Kicks Off for .Website, .Press and .Host

New .ORGANIC Top-Level Domain Welcomes Leading Brands As .ORGANIC Pioneers

Dot Chinese Online and Dot Chinese Website Featured in EURid's World Report on IDNs 2014

New .ORGANIC Top-Level Domain Opens to Serve the Organic Community

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
dotMobi

Mobile

Sponsored by
dotMobi
Afilias

DNS Security

Sponsored by
Afilias