论文信息 - Exploring the Overhead of DNSSEC Bernhard Ager

Exploring the Overhead of DNSSEC Bernhard Ager

Abstract Even though the key ideas behind DNSSEC have been introduced quite some time ago DNSSEC has not yet seen large scale deployment. This is in large part due to the anticipated overhead of DNSSEC. While the overheads have been reduced by the introduction of the delegation signer model [14], it is still not clear if they are bearable. Therefore we in this paper examine the actual overheads of DNSSEC. We first examine how the packet sizes of an DNS trace increases if DNSSEC would be used. Then we explore the CPU and memory overheads imposed by DNSSEC by replaying a DNS client trace in a testbed initialized with roughly 100,000 zones.

A. Feldmann | H. Dreger | B. Ager | Bernhard Ager | Holger Dreger

[1] Scott Rose,et al. Resource Records for the DNS Security Extensions , 2005, RFC.

[2] Scott Rose,et al. Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[3] Olafur Gudmundsson,et al. Delegation Signer (DS) Resource Record (RR) , 2003, RFC.

[4] Olafur Gudmundsson,et al. DNSSEC and IPv6 A6 aware server/resolver message size requirements , 2001, RFC.

[5] Daniel Massey,et al. Public key validation for the DNS security extensions , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[6] Donald E. Eastlake,et al. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS) , 1999, RFC.

[7] Paul Vixie,et al. DNS and BIND Security Issues , 1995, USENIX Security Symposium.

[8] Steven M. Bellovin,et al. Using the Domain Name System for System Break-ins , 1995, USENIX Security Symposium.

[9] Paul V. Mockapetris,et al. Domain names - implementation and specification , 1987, RFC.

[10] R. Gieben. Chain of trust : the parent-child and keyholder-keysigner relations and their communication in DNSSEC , 2001 .

[11] Paul V. Mockapetris,et al. Domain names: Concepts and facilities , 1983, RFC.