Search DNSSEC Blog


Wednesday, January 26, 2011

Performance hit could be the price of DNS security

Recent security fixes to the Domain Name System have bought the Internet community time to implement a more permanent solution in the form of the DNS Security Extensions, but the job of putting the protocols into place has only begun, said one industry observer. And when DNS zones are signed securely, there will likely be a trade-off in performance.

A study by Infoblox, which makes network management automation tools, showed a fourfold increase in the number of digitally signed zones from 2009 to 2010, said Vice President of Architecture Cricket Liu. But that still amounted to only 0.022 percent of zones that had been signed with DNSSEC.

Implementing DNSSEC to ensure that IP address information received in response to DNS queries is legitimate is complicated by two factors. First, the system requires a chain of trust for validating digital signatures, which means they will not work unless the protocols are enabled on a substantial portion of the Internet. Fortunately, the root zone at the top of the DNS hierarchy has been signed, and a number of top-level domains immediately under it have also been signed.

“The last big domino to fall is going to be .com, which is scheduled to be signed in March,” Liu said Jan. 25 during a talk in Washington. “This is the year of no excuses because .com is signed this year.”

Source: "Performance hit could be the price of DNS security", William Jackson, Retrieved on Jan 26, 2011 from


1 comment:

  1. Daniel Migault, a security engineer for France Telecom, conducted tests on DNSSEC performance and presented them at the November 2010 IEPG meeting in Beijing: His results showed that there were indeed performance ramifications but he nonetheless concluded: “DNSSEC is a hard nut to crack. Platform design should be carefully handled. Move to DNSSEC ASAP and carefully!” About me: About me: