How a tiny DNSSEC server can make a huge difference

By on 26 Nov 2014

Category: Tech matters

Tags: , , ,

Blog home

Ray Bellis presenting at Ofcom in June. Image credit: Adam Leach

At the IEPG meeting held at IETF91 Honolulu, Ray Bellis from Nominet (the .UK ccTLD registry) presented on his tiny DNSSEC server. Ray wrote this for APNIC Labs so we could test DNSSEC.

The engine is written using evldns, a mash up of libevent and ldns, and in a few hundred lines of code is able to serve an infinite number of ‘random’ subzones in DNS, signing on the fly. The speed is limited by the CPU speed, so the cost of the cryptography used to sign the zone limits how many DNS queries can be handled per second. On our test hardware, we got up to 400 queries per second. Not bad for a tiny chunk of c and c++.

This trick will permit APNIC Labs to re-construct our DNSSEC measurement which currently depends on a monolithic DNS server running bind, which takes over 4 hours to reload 750,000 statically signed zones. Ray’s method can handle around 400 queries per second, and we have already re-coded part of it to permit us to run three in parallel and serve around 1,000 queries per second. At a sustained rate this will let us handle 80 million queries a day, which equates to around 10 million experiments. Since we currently do less than one million, that’s a huge increase.

Ray also included logic to serve badly signed zones, which permits us to test who is actually validating in DNSSEC. The results of our DNSSEC work is currently available here but will be presented on the main APNIC Labs website once web markup work is completed. Ray’s code is available on github.

Many thanks to Nominet, and Ray for this work.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *