Earlier this year, ICANN contracted with DNS-OARC to study the impacts of potential changes facing the DNS root zone. These changes include: (1) a significant increase in the number of gTLDs, (2) signing the zone with DNSSEC, and (3) continued increase in IPv6 glue. In our study we explore how these changes affect:
  • The size of the zone (e.g., on disk and in memory)
  • How much time is required to load, or reload, the zone
  • Latency and performance of serving the zone
  • Time and bandwidth necessary for zone transfers
  • Truncated responses and retries over TCP

Executive Summary

This excerpt of the executive summary is taken from the full report: Our analysis of zone size focuses on memory usage. As expected, we find that memory requirements increase linearly with zone size. We also find that, for a given number of TLDs, signing the zone increases the memory requirement by a factor of 1.5–2. Additionally, we find that 32 GB of memory is insufficient for serving a very large root zone (e.g., a signed zone with 10 million TLDs), particularly when using NSD. The response latency measurements find negligible increases (typically less than one millisecond) with NSD. For BIND (9.6.0-P1), however, we find some response time degradation with a large signed root zone (e.g., greater than 100,000 TLDs). With a 100,000 TLD signed zone, BIND drops nearly 30% of all queries sent at a rate of 5000 queries per second. With a one million TLD signed zone, BIND drops over 80%. NSD also begins to show some signs of stress with a very large (4.5 million TLD) zone where over 40% of queries are dropped. The reload and restart times measurements are relatively straightforward and contain no real surprises. Loading and reloading times are generally proportional to zone size. Loading a 1 million TLD signed zone takes 190 seconds with BIND and 227 seconds with NSD. To measure inter-nameserver bandwidth we performed a number of zone transfers between master and slave nameservers. We tested both standard (AXFR) and incremental (IXFR) zone transfer mechanisms. One interesting result of the AXFR test is that an NSD master utilizes 20–30% less bandwidth than a BIND master to send a given zone. To assess the duration of a zone transfer under wide-area network conditions, we introduced simulated packet loss and delays. A zone transfer experiencing 1% packet loss takes more than 2.5 times longer than with no packet loss for any given tested latency. To explore increased TCP at root servers, we replayed real query 1streams to servers with signed zones. We found that between 0.3% and 0.8% of responses to UDP queries would be truncated, likely causing most these clients to fall back to TCP. This means that root servers can expect to see at least an order of magnitude increase (e.g., from 5 to 50 per second) in queries over TCP when the root zone is signed. Additionally, we found that a large (e.g., one million TLD) signed root zone will likely result in a slightly higher proportion of TCP queries than a signed version of the current one. Finally, we examined data for the .org TLD from before and after DNSSEC was deployed and found evidence suggesting that the actual increase in TCP-based queries could be significantly higher than can be forecast by evaluating current DNS traffic patterns.