[AfrICANN-discuss] Deployment of DNSSEC in the Root Zone: Impact Analysis

Anne-Rachel Inné annerachel at gmail.com
Fri Apr 15 12:29:42 SAST 2011

Deployment of DNSSEC in the Root Zone: Impact Analysis

14 April 2011

In 2010 ICANN commissioned a study from DNS-OARC <http://www.dns-oarc.net/> to
examine the impact of DNSSEC deployment in the root
and in particular the effects on clients from the large DNS responses
resulting from the use of a Deliberately Unvalidatable Root Zone (DURZ).

The DNS-OARC study drew upon the results of a coordinated data collection
exercise by root server operators <http://www.root-servers.org/>, with each
data collection window timed to coincide with a transition by one or more
root servers<http://www.root-dnssec.org/wp-content/uploads/2010/05/draft-icann-dnssec-deployment-02.txt>
 [TXT, 28 KB] from serving an unsigned root zone to serving the DURZ.

ICANN is publishing this report in order to share its findings with the
wider DNS community.

The conclusion of the DNS-OARC study is included below.

The average message size of UDP-based DNS response size grew by about 40%,
from 405 to 569 octets. The largest observed responses were just over 900

There is evidence that the introduction of the DURZ resulted in an increase
in the number of query retries for some types of query, but it is unclear
whether this corresponds to clients with path MTU issues or is simply path
MTU discovery at work. The apparent absence of any problem reports strongly
suggests the latter.

The number of TCP-based DNS queries to the root servers increased by
approximately 1333%, from 30 per second prior to the introduction of the
DURZ to around 400 per second afterwords. However, TCP-based queries, which
were a miniscule 0.02% of total query traffic before the DURZ, were still
only 0.17% of it afterwords. While 400 TCP connections per second may seem
high, it is small relative to available capacity, particularly as the root
servers comprise approximately 300 individual nodes. The number of clients
using TCP for DNS queries rose by over 1800% from around 1600 distinct
sources per hour to nearly 30,000. This is still a tiny fraction of all DNS

Deployment of DNSSEC in the Root Zone: Impact
 [PDF, 799 KB]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20110415/dc66ef19/attachment.htm

More information about the AfrICANN mailing list