Home / Industry

DNSSEC FUD Buster: DNSSEC Slows the Internet?

.ORG, The Public Interest Registry, DNSSEC FUD Buster series continues this month with a piece authored by Andrew Sullivan. Andrew works for Shinkuro, an organization that interests and expertise lie in secure Internet capabilities. This organization also provides leadership in community activities such as the Domain Name System Security Extensions (DNSSEC). He is currently the co-chair of the DNS Extensions working group at the IETF. Prior to joining Shinkuro, Andrew was Director of Name Services at Afilias Limited.

Well, strictly speaking, it's true. It's just not that big a deal.

Currently, when you perform a DNS lookup, you usually send a very small request to your ISP's DNS server. You get back a response that includes the actual answer, and also possibly some additional information you might like to know in order to make further queries. These queries and, usually, their answers are tiny — they're for the most part much smaller than even the small "icon" graphics from a well-run website. Also, they use UDP, which is much less expensive in network bandwidth than is TCP (which is what common protocols like HTTP or SMTP use). "Plain" DNS is very, very, very cheap.

DNSSEC adds signatures to all parts of the response that form the answer. These signatures represent an apparently huge increase in the amount of data in the response (at least an order of magnitude). Since responses are bigger, they'll take more time to send, and they'll use more network bandwidth. But let's be clear: we are talking about moving from very, very, very cheap to merely very, very cheap. Compared to the overall Internet traffic — even compared to the number of "garbage" queries sent to the root name servers every day — the increase is tiny.

It's also true that validating responses adds a step that was never there before. Obviously, that adds time. But DNSSEC is designed on purpose to make validation fast. It is specified so that signing time may take longer, so that validation is very inexpensive (computationally).
So, DNSSEC will in some cases slow resolution down in two ways: it adds additional data, which means more network traffic, and therefore more network congestion; and it adds an additional step (validation) on top of the resolution done today.

Over the long run, the "more traffic" issue has to be addressed by additional bandwidth. The amount is measurable, however, and therefore the additional burden can be calculated as part of any infrastructure plan. The "additional step" issue is a trade-off. All increases in security bring costs along with the security benefit. This cost is partly paid in additional processing time during resolution. The benefit is that you don't go to Dr Evil's site when you're trying to check your bank balance or pay your taxes.

So, the short version is that, yes, there is a tiny and in some cases perceptible addition of time to the interval between when one asks for a DNS answer and when one actually gets it. The time is due to the additional network traffic and the validation step. The additional traffic is a tiny increase compared to all the other traffic on the Internet. The additional time entailed by validation is also a tiny amount. We feel this is an insignificant cost to reap the benefit of being sure that the answer you get is the right one.

About PIR

PIR

Public Interest Registry is a nonprofit corporation that operates the .org top-level domain – the world's third largest "generic" top-level domain with more than 10 million domain names registered worldwide. As an advocate for collaboration, safety and security on the Internet, Public Interest Registry's mission is to empower the global noncommercial community to use the Internet more effectively, and to take a leadership position among Internet stakeholders on policy and other issues relating to the domain naming system. (Learn More)

Related topics: Cyberattack, Cybercrime, DNS, DNSSEC, Domain Names, Registry Services, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

List of New gTLD Availability & Key Information Provided for Download

Radix Launches .Space for Individuals, Freelancers and Professionals

TLD Registry Wins Best Marketing Award at China New gTLD Roadshow

Public Interest Registry Introduces 'OnGood' - New Brand Identity for .ngo & .ong

Victorian Government and City of Melbourne Launch .melbourne Web Addresses

Update on Minds + Machines' Top-Level Domain Launches

ICANN Los Angeles Recap Webinar

TLD Registry Appoints First China General Manager, Mr Jin Wang

TLD Registry Opens China Headquarters in "China's Silicon Valley"

.nyc Goes Public to Brand the Big Apple

pink.host: Breast Cancer Awareness by Bluehost

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Radix Announces the Addition of .tech to Its Portfolio

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Infographic: Where in the World Do Chinese People Live?

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Afilias

DNSSEC

Sponsored by
Afilias
dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines