Performance Measurements With DNS/DNSSEC - IEPG · DNS servers : BIND 9.6.0-P1, UNBOUND 1.2.1, NSD 3.2.1 DNS server configuration : ... Performance Measurements With DNS/DNSSEC –

unrestricted

Performance MeasurementsWith DNS/DNSSECDaniel MigaultIEPG79 – Beijin November 6, 2010

Performance Measurements With DNS/DNSSEC – Orange Labs 2 D. Migault, [email protected] – IEPG79 – Beijin November 6, 2010

ToC Experimental Measurements Test. Env. UT CPU RT Update CHR II. Concl. Application

Table of Contents

Goal of the presentation :

DNS/DNSSEC implementations have different performances

How DNSSEC affects platforms performances

This presentation :

Based on A Performance View on DNSSEC Migration, CNSM2010

Extended version with the mathematical expression of measured curvesis expected soon

We have a python library with all curves

Fell free to contact me to get them : [email protected]



Table of Contents

I. Performance View & Experimental Measurements

Testing Environment

Latency for Unitary tests

CPU Load

Response Time

Update Operations

Cache Hit Rate

II. Measurements Conclusion

III. Application



Experimental Measurements

Experimental work measures the cost of DNSSEC migration :

Cost between different implementations - BIND9 , NSD , UNBOUND

Cost for Authoritative & Resolving servers

Cost between different DNSSEC policies - DNS, DNSSEC without valida-tion (DNSSEC), DNSSEC with validation (DNSSEC∗ )

Costs consider :

Latency & Processing Time for Unitary Tests

CPU Load

Response Time

Update Operations

Cache Hit Rate

http://www.isc.org/software/bind

http://nlnetlabs.nl/projects/nsd/

http://nlnetlabs.nl/projects/unbound/



Experimental Measurements

Software :

DNS servers : BIND 9.6.0-P1, UNBOUND 1.2.1, NSD 3.2.1

DNS server configuration : we run all servers with a mono thread mode

Tools : dnsperf, resperf, collectl, Wireshark

Hardware :

Servers : Intel Pentium III ( @ 1GHz 32 bits) CPU, 384MB of RAM withDebian 5.0 (lenny), Linux kernel 2.6.24.

End user : Intel Xeon E5420 (Quad-Core @ 2.5GHz 32bits) CPU, 3GBRAM with Ubuntu 8.10 (hardy) 32 bits version with Linux kernel 2.6.27.



Testing Environment - Authoritative Servers

AUTHORITATIVEEND USER

DNS query

Authoritative

Processing

Time

Client

Processing

Time

NETWORK

ISP

Network

Latency

T1 T2

T4 T3

T0

T5DNS response



Testing Environmment - Resolving Servers

END USER

DNS query

DNS Response

Client

Processing

Time

NETWORK

ISP

Network

Latency

T1

T8CACHE

T2

T7AUTHORITATIVE

Authoritative

Processing

Time

T5

DNS response

NETWORK

Internet

Network

Latency

DNS query

Cache

Processing

Time

T3 T4T0

T6

T9



Unitary Tests - Authoritative Servers

BIND - DNSBIND - DNSSEC

NSD - DNSNSD - DNSSEC

0

100

200

300

La

ten

cy (

10

-6 s

)

Authoritative Processing TimeISP Network TimeClient Processing Time

NSD ’s Processing Time (PT) is 40% of BIND9 ’s

NSD Network Latency (NL) is 92% of BIND9 ’s Latency

DNSSEC migration increases PT by 25% for BIND9 and 8% for NSD

DNSSEC migration BIND9 / NSD increases NL by 60%











Unitary Tests - Resolving Servers

BIND Unbound BIND Unbound BIND Unbound0.00E+0

5.00E-4

1.00E-3

1.50E-3

2.00E-3

2.50E-3

3.00E-3

La

ten

cy (

s)

DNS DNSSEC DNSSEC validation



Unitary Tests - Resolving Servers

UNBOUND Processing Time is respectively 33%, 22% and 54% ofBIND9 ’s for DNS, DNSSEC and DNSSEC with validation

Migration from DNS to DNSSEC without validation increases ProcessingTime of 9% for UNBOUND and 14% for BIND9

Migration from DNS to DNSSEC with validation increases ProcessingTime of 353% for UNBOUND and 216% for BIND9









CPU Load - Authoritative Servers

00E-1 40E+2 80E+2 12E+3 16E+3 20E+30

20

40

60

80

100

Query per second

CP

U L

oa

d (

%)

DNS BINDDNS NSDDNSSEC BINDDNSSEC NSD

For DNS/DNSSEC, NSD deals with around 2.3 times more traffic thanBIND9

DNSSEC Maximum Load is 79% and 83% of DNS Maximum Load forBIND9 and NSD

DNSSEC costs roughly corresponds to 30% of the DNS traffic







CPU load - Resolving Servers

0 500 1000 1500 2000 2500 3000 3500 4000 45000

20

40

60

80

100

Query per second

CP

U L

oa

d (

%)



CPU load - Resolving Servers

UNBOUND deals with 3.4 (resp. 1.8 ) times more traffic than BIND9with DNS/DNSSEC (resp. DNSSEC with validation)

With BIND9 DNSSEC without validation (resp. with validation) maximumtraffic corresponds to 90% (resp. 49%) DNS maximum traffic

With UNBOUND with DNSSEC without validation (resp. with validation)maximum traffic corresponds to 86% (resp. 25%) DNS maximum traffic







Response Time - Authoritative Servers

20% 40% 60% 80% 100%0.0E+0

5.0E-4

1.0E-3

1.5E-3

Server Load (CPU)

Ser

ver

Re

spo

nse

Tim

e (

s)

BIND DNSNSD DNSBIND DNSSECNSD DNSSEC

For CPU time below 40%, NSD is about two time faster than BIND9

Migration to DNSSEC increases response time of 20% for NSD and10% for BIND9







Response Time - Resolving Servers

20% 30% 40% 50% 60% 70% 80% 90% 100%0.00E+0

5.00E-3

1.00E-2

1.50E-2

2.00E-2

CPU Load on caching serverRe

solv

er

Pro

cess

ing

Tim

e (

s)

BIND DNSUNBOUND DNSBIND DNSSECUNBOUND DNSSECBIND DNSSEC with validationUNBOUND DNSSEC with validation

For CPU time below 50%, UNBOUND response time is 35% (resp.30% and 75%) of BIND9 ’s for DNS (resp. DNSSEC, DNSSEC∗ )

With DNSSEC and validation, migration increases DNS response time by35% for BIND9 and 215% for UNBOUND







Update - add/delete Costs

0 20 40 60 80 100 120 140 1600

10

20

30

Time (s)

Pa

cke

ts

pe

r S

eco

nd

200 add 100 add + 100 delete

0 20 40 60 80 100 120 140 160 1800

10

20

Time (in s)

Pa

cke

ts

pe

r S

eco

nd

2 add1 add + 1 delete



Update - add/delete Costs

Updates are performed on BIND9

With DNS (resp. DNSSEC) add requires 1.42 (resp. 4.16 ) more timethan delete

Migration from DNS to DNSSEC makes add (resp. delete ) operation221 (resp. 75 ) times longer




Update - Operations per Datagram

0 50 100 150 200 2500E+0

2E+3

4E+3

Time (s)Up

da

te p

er

Se

con

d Number of add per datagram

Sending multiple updates is more efficient, both with DNS and DNSSEC



Traf�c Cache Hit Rate

20% 30% 40% 50% 60% 70% 80% 90% 100%15

150

1500

CHR

% a

dd

ed

qu

eri

es

BIND-DNSBIND-DNSSEC-VALBIND-DNSSECUnbound-DNSUnbound-DNSSEC-VALUnbound-DNSSEC

AQR(CHR) =qCPUCHR

−qCPUCHR=0

qCPUCHR=0

DNSSEC∗ has an AQR that varies from 1149% to 1779%

DNSSEC and DNS has an AQR varying from 374% to 592%

Conclusion



Conclusion

DNSSEC performances are impacted by :

The DNS/DNSSEC/DNSSEC∗ policies

The servers implementations

NSD / BIND9 & UNBOUND / BIND9

The platform’s node hardware

Intel Pentium III (@ 1GHz 32 bits) CPU, 384MB of RAM

Operating System

Debian 5.0 (lenny), Linux kernel 2.6.24

The server’s configuration

Default configuration - 1 thread







Conclusion

The DNS/DNSSEC traffic

CHR, 1 signature per response

DNSSEC deployment over the Internet

We did not consider mixed DNS/DNSSEC/DNSSEC∗ traffic

...

So, the conclusion of this presentation might be :

DNSSEC is a hard nut to crack

Platform design should be carefully handled

Move to DNSSEC ASAP and carefully!

Application



Application

Example of DNS Traffic :

Daily query rate is 40.000 q.s−1 , with pics up to 120.000 q.s−1

Cache Hit Rate : CHR = 0.7

Thus, we design the platform for :

40.000 q.s−1

cpumax = 20%

With nodes Intel Pentium III (@ 1GHz 32 bits) CPU, 384MB of RAM

In our design we consider for the different Protocols/Implementations :

Number of nodes

Response time



Application - Authoritative Servers

Nodes DNS DNSSEC

BIND9 29 ( 1.00∗ ) 38 ( 1.31∗ )NSD 9 ( 1.00∗ ) 12 ( 1.33∗ )

UNBOUNDBIND9 (IR∗∗ ) 0.31 0.32

Response Time µs DNS DNSSEC

BIND9 239.38 ( 1.00∗ ) 1161.80 ( 4.85∗ )NSD 92.27 ( 1.00∗ ) 130.42 ( 1.41∗ )

UNBOUNDBIND9 (IR∗∗ ) 0.39 4.50

∗ : Protocol Ratio, ∗∗ Implementation Ratio



Application Resolving Servers

Nodes DNS DNSSEC DNSSEC∗

BIND9 80 ( 1∗ ) 87 ( 1.09∗ ) 160 ( 2.00∗ )UNBOUND 20 ( 1∗ ) 24 ( 1.20∗ ) 85 ( 4.25∗ )

UNBOUNDBIND9

(IR∗∗ ) 0.25 0.28 0.53

Response Time (µs ) DNS DNSSEC DNSSEC∗

BIND9 1402 ( 1∗ ) 1161 ( 0.80∗ ) 2300 ( 1.63∗ )UNBOUND 401 ( 1∗ ) 366 ( 0.92∗ ) 2000 ( 4.99∗ )

UNBOUNDBIND9 (IR∗∗ ) 0.20 0.20 0.87

∗ : Protocol Ratio, ∗∗ Implementation Ration

Q & A

Documents

Performance Measurements With DNS/DNSSEC - IEPG · DNS servers : BIND 9.6.0-P1, UNBOUND 1.2.1, NSD 3.2.1 DNS server configuration : ... Performance Measurements With DNS/DNSSEC –