View
238
Download
0
Category
Preview:
Citation preview
Performance Measurements With DNS/DNSSEC – Orange Labs 2 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Table of Contents
Goal of the presentation :
DNS/DNSSEC implementations have different performances
How DNSSEC affects platforms performances
This presentation :
Based on A Performance View on DNSSEC Migration, CNSM2010
Extended version with the mathematical expression of measured curvesis expected soon
We have a python library with all curves
Fell free to contact me to get them : mglt.ietf@gmail.com
Performance Measurements With DNS/DNSSEC – Orange Labs 3 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Table of Contents
I. Performance View & Experimental Measurements
Testing Environment
Latency for Unitary tests
CPU Load
Response Time
Update Operations
Cache Hit Rate
II. Measurements Conclusion
III. Application
Performance Measurements With DNS/DNSSEC – Orange Labs 4 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Experimental Measurements
Experimental work measures the cost of DNSSEC migration :
Cost between different implementations - BIND9 , NSD , UNBOUND
Cost for Authoritative & Resolving servers
Cost between different DNSSEC policies - DNS, DNSSEC without valida-tion (DNSSEC), DNSSEC with validation (DNSSEC∗ )
Costs consider :
Latency & Processing Time for Unitary Tests
CPU Load
Response Time
Update Operations
Cache Hit Rate
Performance Measurements With DNS/DNSSEC – Orange Labs 5 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Experimental Measurements
Software :
DNS servers : BIND 9.6.0-P1, UNBOUND 1.2.1, NSD 3.2.1
DNS server configuration : we run all servers with a mono thread mode
Tools : dnsperf, resperf, collectl, Wireshark
Hardware :
Servers : Intel Pentium III ( @ 1GHz 32 bits) CPU, 384MB of RAM withDebian 5.0 (lenny), Linux kernel 2.6.24.
End user : Intel Xeon E5420 (Quad-Core @ 2.5GHz 32bits) CPU, 3GBRAM with Ubuntu 8.10 (hardy) 32 bits version with Linux kernel 2.6.27.
Performance Measurements With DNS/DNSSEC – Orange Labs 6 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Testing Environment - Authoritative Servers
AUTHORITATIVEEND USER
DNS query
Authoritative
Processing
Time
Client
Processing
Time
NETWORK
ISP
Network
Latency
T1 T2
T4 T3
T0
T5DNS response
Performance Measurements With DNS/DNSSEC – Orange Labs 7 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Testing Environmment - Resolving Servers
END USER
DNS query
DNS Response
Client
Processing
Time
NETWORK
ISP
Network
Latency
T1
T8CACHE
T2
T7AUTHORITATIVE
Authoritative
Processing
Time
T5
DNS response
NETWORK
Internet
Network
Latency
DNS query
Cache
Processing
Time
T3 T4T0
T6
T9
Performance Measurements With DNS/DNSSEC – Orange Labs 8 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Unitary Tests - Authoritative Servers
BIND - DNSBIND - DNSSEC
NSD - DNSNSD - DNSSEC
0
100
200
300
La
ten
cy (
10
-6 s
)
Authoritative Processing TimeISP Network TimeClient Processing Time
NSD ’s Processing Time (PT) is 40% of BIND9 ’s
NSD Network Latency (NL) is 92% of BIND9 ’s Latency
DNSSEC migration increases PT by 25% for BIND9 and 8% for NSD
DNSSEC migration BIND9 / NSD increases NL by 60%
Performance Measurements With DNS/DNSSEC – Orange Labs 9 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Unitary Tests - Resolving Servers
BIND Unbound BIND Unbound BIND Unbound0.00E+0
5.00E-4
1.00E-3
1.50E-3
2.00E-3
2.50E-3
3.00E-3
La
ten
cy (
s)
DNS DNSSEC DNSSEC validation
Performance Measurements With DNS/DNSSEC – Orange Labs 10 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Unitary Tests - Resolving Servers
UNBOUND Processing Time is respectively 33%, 22% and 54% ofBIND9 ’s for DNS, DNSSEC and DNSSEC with validation
Migration from DNS to DNSSEC without validation increases ProcessingTime of 9% for UNBOUND and 14% for BIND9
Migration from DNS to DNSSEC with validation increases ProcessingTime of 353% for UNBOUND and 216% for BIND9
Performance Measurements With DNS/DNSSEC – Orange Labs 11 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
CPU Load - Authoritative Servers
00E-1 40E+2 80E+2 12E+3 16E+3 20E+30
20
40
60
80
100
Query per second
CP
U L
oa
d (
%)
DNS BINDDNS NSDDNSSEC BINDDNSSEC NSD
For DNS/DNSSEC, NSD deals with around 2.3 times more traffic thanBIND9
DNSSEC Maximum Load is 79% and 83% of DNS Maximum Load forBIND9 and NSD
DNSSEC costs roughly corresponds to 30% of the DNS traffic
Performance Measurements With DNS/DNSSEC – Orange Labs 12 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
CPU load - Resolving Servers
0 500 1000 1500 2000 2500 3000 3500 4000 45000
20
40
60
80
100
Query per second
CP
U L
oa
d (
%)
Performance Measurements With DNS/DNSSEC – Orange Labs 13 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
CPU load - Resolving Servers
UNBOUND deals with 3.4 (resp. 1.8 ) times more traffic than BIND9with DNS/DNSSEC (resp. DNSSEC with validation)
With BIND9 DNSSEC without validation (resp. with validation) maximumtraffic corresponds to 90% (resp. 49%) DNS maximum traffic
With UNBOUND with DNSSEC without validation (resp. with validation)maximum traffic corresponds to 86% (resp. 25%) DNS maximum traffic
Performance Measurements With DNS/DNSSEC – Orange Labs 14 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Response Time - Authoritative Servers
20% 40% 60% 80% 100%0.0E+0
5.0E-4
1.0E-3
1.5E-3
Server Load (CPU)
Ser
ver
Re
spo
nse
Tim
e (
s)
BIND DNSNSD DNSBIND DNSSECNSD DNSSEC
For CPU time below 40%, NSD is about two time faster than BIND9
Migration to DNSSEC increases response time of 20% for NSD and10% for BIND9
Performance Measurements With DNS/DNSSEC – Orange Labs 15 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Response Time - Resolving Servers
20% 30% 40% 50% 60% 70% 80% 90% 100%0.00E+0
5.00E-3
1.00E-2
1.50E-2
2.00E-2
CPU Load on caching serverRe
solv
er
Pro
cess
ing
Tim
e (
s)
BIND DNSUNBOUND DNSBIND DNSSECUNBOUND DNSSECBIND DNSSEC with validationUNBOUND DNSSEC with validation
For CPU time below 50%, UNBOUND response time is 35% (resp.30% and 75%) of BIND9 ’s for DNS (resp. DNSSEC, DNSSEC∗ )
With DNSSEC and validation, migration increases DNS response time by35% for BIND9 and 215% for UNBOUND
Performance Measurements With DNS/DNSSEC – Orange Labs 16 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Update - add/delete Costs
0 20 40 60 80 100 120 140 1600
10
20
30
Time (s)
Pa
cke
ts
pe
r S
eco
nd
200 add 100 add + 100 delete
0 20 40 60 80 100 120 140 160 1800
10
20
Time (in s)
Pa
cke
ts
pe
r S
eco
nd
2 add1 add + 1 delete
Performance Measurements With DNS/DNSSEC – Orange Labs 17 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Update - add/delete Costs
Updates are performed on BIND9
With DNS (resp. DNSSEC) add requires 1.42 (resp. 4.16 ) more timethan delete
Migration from DNS to DNSSEC makes add (resp. delete ) operation221 (resp. 75 ) times longer
Performance Measurements With DNS/DNSSEC – Orange Labs 18 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Update - Operations per Datagram
0 50 100 150 200 2500E+0
2E+3
4E+3
Time (s)Up
da
te p
er
Se
con
d Number of add per datagram
Sending multiple updates is more efficient, both with DNS and DNSSEC
Performance Measurements With DNS/DNSSEC – Orange Labs 19 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Traf�c Cache Hit Rate
20% 30% 40% 50% 60% 70% 80% 90% 100%15
150
1500
CHR
% a
dd
ed
qu
eri
es
BIND-DNSBIND-DNSSEC-VALBIND-DNSSECUnbound-DNSUnbound-DNSSEC-VALUnbound-DNSSEC
AQR(CHR) =qCPUCHR
−qCPUCHR=0
qCPUCHR=0
DNSSEC∗ has an AQR that varies from 1149% to 1779%
DNSSEC and DNS has an AQR varying from 374% to 592%
Performance Measurements With DNS/DNSSEC – Orange Labs 20 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Conclusion
DNSSEC performances are impacted by :
The DNS/DNSSEC/DNSSEC∗ policies
The servers implementations
NSD / BIND9 & UNBOUND / BIND9
The platform’s node hardware
Intel Pentium III (@ 1GHz 32 bits) CPU, 384MB of RAM
Operating System
Debian 5.0 (lenny), Linux kernel 2.6.24
The server’s configuration
Default configuration - 1 thread
Performance Measurements With DNS/DNSSEC – Orange Labs 21 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Conclusion
The DNS/DNSSEC traffic
CHR, 1 signature per response
DNSSEC deployment over the Internet
We did not consider mixed DNS/DNSSEC/DNSSEC∗ traffic
...
So, the conclusion of this presentation might be :
DNSSEC is a hard nut to crack
Platform design should be carefully handled
Move to DNSSEC ASAP and carefully!
Performance Measurements With DNS/DNSSEC – Orange Labs 22 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Application
Example of DNS Traffic :
Daily query rate is 40.000 q.s−1 , with pics up to 120.000 q.s−1
Cache Hit Rate : CHR = 0.7
Thus, we design the platform for :
40.000 q.s−1
cpumax = 20%
With nodes Intel Pentium III (@ 1GHz 32 bits) CPU, 384MB of RAM
In our design we consider for the different Protocols/Implementations :
Number of nodes
Response time
Performance Measurements With DNS/DNSSEC – Orange Labs 23 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Application - Authoritative Servers
Nodes DNS DNSSEC
BIND9 29 ( 1.00∗ ) 38 ( 1.31∗ )NSD 9 ( 1.00∗ ) 12 ( 1.33∗ )
UNBOUNDBIND9 (IR∗∗ ) 0.31 0.32
Response Time µs DNS DNSSEC
BIND9 239.38 ( 1.00∗ ) 1161.80 ( 4.85∗ )NSD 92.27 ( 1.00∗ ) 130.42 ( 1.41∗ )
UNBOUNDBIND9 (IR∗∗ ) 0.39 4.50
∗ : Protocol Ratio, ∗∗ Implementation Ratio
Performance Measurements With DNS/DNSSEC – Orange Labs 24 D. Migault, mglt.ietf@gmail.com – IEPG79 – Beijin November 6, 2010
ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application
Application Resolving Servers
Nodes DNS DNSSEC DNSSEC∗
BIND9 80 ( 1∗ ) 87 ( 1.09∗ ) 160 ( 2.00∗ )UNBOUND 20 ( 1∗ ) 24 ( 1.20∗ ) 85 ( 4.25∗ )
UNBOUNDBIND9
(IR∗∗ ) 0.25 0.28 0.53
Response Time (µs ) DNS DNSSEC DNSSEC∗
BIND9 1402 ( 1∗ ) 1161 ( 0.80∗ ) 2300 ( 1.63∗ )UNBOUND 401 ( 1∗ ) 366 ( 0.92∗ ) 2000 ( 4.99∗ )
UNBOUNDBIND9 (IR∗∗ ) 0.20 0.20 0.87
∗ : Protocol Ratio, ∗∗ Implementation Ration
Recommended