Posts Tagged DNS performance

Is a $70 router fast enough for DNSSEC?

In a blog post a few days ago, Bob Novas talked about configuring an inexpensive home router as a DNSSEC validator for a home/small office network.

Such a router has much less computational power than most computers today, so many people assume it is not fast enough to do DNSSEC validation.  To test that assumption, I ran the router through a set of tests designed to measure DNS and DNSSEC validation performance.  I ran each of the following tests in sequence against the router with DNSMASQ (the default, non-validating forwarding resolver used by OpenWrt), Unbound without validation, and Unbound with validation:

  • Test #1 Cold cache: query for X signed names from 2 different zones
  • Test #2  Warm cache: query once for each of the names in #1
  • Test #3 Mixed case query for  the names in cache and intermingle  30% queries for names not in cache
  • Test #4 Remote Ask for 50 nonexistent names in .gov

In tests 1-3,  the names queried are from zones served by authoritative servers on the same LAN, minimizing network delays.

The reason I have the value X above is that I use different values depending on the speed of the device under test.  The goal of the tests is to run experiments #1 and #3 for just long enough to get meaningful results.

When running without DNSSEC, DNSMASQ and Unbound performed about the same In the Cold test — around 700 queries/second.

Unbound was six times faster on the Warm test since it caches responses and DNSMASQ doesn’t.  Unbound was two faster on Mixed test for the same reason.

With DNSSEC turned on, Unbound was able to handle about 140 validated queries/second, which is quite fast.  This is with answers that are signed by a 1024-bit RSA key.  It ran at the same speed as it did without DNSSEC  in the Warm case.

This performance is more than enough for a home or small office.

When comparing the results for the Remote test, validating Unbound finished in about seven seconds while non-validating DNSMASQ took about ten.  Network delay, not validation time,  dominates the time to perform this test.  In non-test situation, DNSSEC validation thus will not be a bottleneck when the doing lookups from the Internet.

 

 

 

 

, , ,

No Comments