draft-zhang-dnsext-test-result-00

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
8.4 paging Paging is a memory-management scheme that permits the physical address space of a process to be non-contiguous. The basic method for implementation.
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
Towards a Billion Routing Lookups per Second in Software  Author: Marko Zec, Luigi, Rizzo Miljenko Mikuc  Publisher: SIGCOMM Computer Communication Review,
How to use DNS during the evolution of ICN? Zhiwei Yan.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
Increasing the Zone Signing Key Size for the Root Zone
High performance recursive DNS solution
Geoff Huston Chief Scientist, APNIC
Security Issues with Domain Name Systems
Understanding and Improving Server Performance
NFV Compute Acceleration APIs and Evaluation
DNS Cookies draft-eastlake-dnsext-cookies-00.txt
A longitudinal, End-to-End View of the DNSSEC Ecosystem
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Database backed DNS.
SEMINAR ON DDNS (DYNAMIC DOMAIN NAME SERVICE)
File Share Dependencies
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
Programming Assignment #1
Living on the Edge: (Re)focus DNS Efforts on the End-Points
Teemu Savolainen (Nokia) MIF WG IETF#75 28-July-2009
Network Load Balancing
DNS Session 5 Additional Topics
Some bits on how it works
Unit 5: Providing Network Services
PES Lessons learned from large scale LSF scalability tests
Donald E. Eastlake 3rd TSIG SHA etc. Donald E. Eastlake 3rd March.
CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.
Introduction to Computers
DNSSEC Iván González Montemayor A
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
Chapter 19 Domain Name System (DNS)
Plethora: Infrastructure and System Design
ROUND ROBIN DNS Round robin DNS is usually used for balancing the load of geographically distributed Web servers. For example, a company has one domain.
Managing Name Resolution
What DNSSEC Provides Cryptographic signatures in the DNS
Key Information Contact Details for everyone
Chap. 12 Memory Organization
NET 536 Network Security Lecture 8: DNS Security
CLIENT/SERVER COMPUTING ENVIRONMENT
Chapter 25 Domain Name System
NET 536 Network Security Lecture 6: DNS Security
Chapter 25 Domain Name System
Performance Analysis of authentication and authorization
IP Control Gateway (IPCG)
Domain Name System: DNS
COMPUTER NETWORKS PRESENTATION
Programming Assignment #1
DNSSEC Status Update in UA
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Review Test 3 CS 101 Spring 2019.
Trust Anchor Signals from Custom Applications
Unconstrained Endpoint Profiling (Googling the Internet)‏
Unity Application Generator
Domain Name Server Presented By: Mahesh Venkat Adusumelli
Notes on: Cache Comparison Problem
Presentation transcript:

draft-zhang-dnsext-test-result-00 DNS Test Result draft-zhang-dnsext-test-result-00 Zhang Juan, Li Lianyuan IETF 83

Introduction In the test, performances of recursive DNS with DNSSec enabled under different circumstances are listed. DNSSec is enabled in the recursive DNS in the following cases Case 1, all queries generated by the simulator are DNS queries without authentication request Case 2, tests on recursive DNS with DNSSec and sortlist enabled is done. That is all queries are still DNS queries without authentication request. However, recursive DNS need to sort the records in special order for every query. records in specific IP address segment can be sorted in front of the others. Finally, all queries are based on DNSSec and all the signature part records are authenticated by the recursive server.

Test layout The test simulated a complete recursive request-response procedure in a closed network. All the servers are assembled with 2 Intel CPUs with 8 core in each other and 8GB RAM. And DNS software is BIND 9.8.1-p1. Two data models are simulated 75% and 80% shooting average in the cache of recursive DNS. Avalanche 3100

More details on test layout Avalanche 3100 is used as request generator, which can simulate many clients with different IP addresses with each other. In the test, the Sortlist function of Bind is used to sort records for every query. In the test, Dnssec-keygen of Bind is used to generate the keys, and the algorithm is RSASHA1. The size of ZSK is 1024bit, and the KSK is 2048bit.

Test Results Table 1: Performance Test Results Of Recursive DNS with hit ratio of 80% QPS Numerical percentage of CPU utilization QPS under 30%CPU Utilization 12000QPS 10000QPS 8000QPS 6000QPS DNS 21.6% 17.6% 14.1% 10.6% 19800 Sortlist(200) 24.7% 19.5% 16.8% 12.3% 19300 DNSSEC 36.2% 30.6% 24.3% 18.1% 9800 Table 2: Performance Test Results Of Recursive DNS with hit ratio of 75% QPS Numerical percentage of CPU utilization QPS under 30%CPU Utilization 12000QPS 10000QPS 8000QPS 6000QPS DNS 20.3% 17.2% 13.9% 10.5% 18000 Sortlist(200) 23.2% 19.1% 15.8% 11.7% 17400 DNSSEC 46.9% 37.6% 29.5% 22.2% 8200 If some strategy like sortlist is enabled, the performance of recursive DNS almost doesn’t change. While if DNSSec is enabled, the performance of recursive DNS will be greatly influenced, which can be reduced about 50%.

Suggestion and Next Step More attention should be paid on the performance of DNS when DNSSec is enabled. Next Step More tests on this subject will be done Various size of keys will be tested

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.