Capacity and scalability are necessary in managing DNSSEC and D/DoS. Capacity, necessary for maintaining operations during D/DoS attacks, is also necessary for increased traffic due to DNSSEC deployment. Scalability is highly important, as DNSSEC is deployed not only will greater traffic levels will be encountered, greater demand will be placed on the DNS platform.
In the interest of understanding both capacity and scalability CommunityDNS conducted tests to assess the readiness of the two main DNS server platforms, BIND and NSD and how they would handle the added workload imposed on standard server hardware as well as expose any limitations. To be fair the same tests were conducted on CommunityDNS' platform. "Details of the study may be found here [PDF]."
Tests applied to the BIND, NSD and CommunityDNS platforms consisted of high volumes of queries being applied to the three different DNS platforms, using four zone sizes in both unsigned and signed environments. The zone sizes represented were:
| 7,691 | 240,419 | 19,405,229 | 57,873,014 |
It should be noted that neither BIND nor NSD could handle the zone file of 57,873,014 names. It should also be noted that as testing began CommunityDNS' platform had excess capacity whilst peaking at queries per second. The testing infrastructure was changed, moving to a complete GB platform in switches and routers and moved to CAT-6 cabling. Tests were rerun using the new network infrastructure, achieving greater results.
Capacity Processing: Results of the testing revealed:
| Zone File Size | 7,691 | 240,419 | 19,405,229 | 57,873,014 |
| Capacity Processing Statistics | BIND: CDNS processes 131% more q/sec for unsigned and 164% for signed. NSD: CDNS processes 31% more q/sec for unsigned and 34% for signed. | BIND: CDNS processes 226% more q/sec for unsigned and 282% for signed. NSD: CDNS processes 55% more q/sec for unsigned and 73% for signed. | BIND: CDNS processes 110% more q/sec for unsigned and 250% for signed. NSD: CDNS processes 45% more q/sec for unsigned and 68% for signed. | BIND: Was unable to load the file of this size. NSD: Was unable to load the file of this size. |
| Processing Peaks (Unsigned) | BIND: 53,600 NSD: 94,400 CDNS: 124,000 | BIND: 37,500 NSD: 79,000 CDNS: 122,300 | BIND: 57,500 NSD: 83,000 CDNS: 121,000 | BIND: 0 NSD: 0 CDNS: 120,500 |
| Processing Peaks (Signed) | BIND: 39,000 NSD: 71,000 CDNS: 103,000 | BIND: 28,000 NSD: 61,700 CDNS: 107,000 | BIND: 25,500 NSD: 53,300 CDNS: 99,300 | BIND: 0 NSD: 0 CDNS: 89,300 |
Scalability: Examining scalability revealed that for zone file sizes from 7,691 to 19,405,229, scalability for unsigned zones were 2.4% degradation for CommunityDNS, -7.2% degradation for BIND and 12.1% degradation for NSD. When examining scalability for the same zone sizes in a signed environment there was a 3.6% degradation for CommunityDNS, 34.6% degradation for BIND and a 30.9% degradation for NSD.
So when looking at operational stability of DNS platforms during D/DoS attacks or with the migration to signed zones, both capacity and scalability are important to ensure operational resilience. Details of the study may be found here [PDF].
Written by Chuck Kisselburg, Director, Strategic Partnerships
Follow CircleID on Twitter