[dns-operations] A Case Against DNSSEC (A Matasano Miniseries)

Rodney Joffe rjoffe at centergate.com
Wed Apr 4 22:43:49 UTC 2007 

Matt, and John,

On Apr 4, 2007, at 2:37 PM, John Payne wrote:

>
> On Apr 4, 2007, at 3:49 PM, Paul Vixie wrote:
>
>>> Am I missing something here?  Do 75% of the world's Internet users
>>> (to
>>> take a number from another of Rodney's message) really use less
>>> than 30
>>> recursive DNS servers?
>>
>> that sounds about right.
>
> It sounds VERY low to me.... especially if you say "world's Internet
> users".

I was very specific: I said:

> fewer than the equivalent of 30 servers.

The "going rate" of answers from an authoritative server (BIND/NSD/ 
Ultra/Nominum*) is 35,000 per second. Between them, that is 1,000,000  
answers per second. Based on my 7 years of operation of significant  
authoritative DNS service, 75% of the user base of the Internet  
result in less than this number of queries per second for me.  
Significantly lower. Say BT has n recursive servers. I answer the  
query for foo.bar once every 24 hours for each. If n is 1,000 (note,  
I have no idea, but it is surely smaller than this), that means that  
for the 20m domains I am authoritative for, I will see at worst 20M *  
1,000 queries per 24 hours, or 230,000 per second. In reality, from  
experience with real networks that I cannot identify or provide  
actual numbers for for NDA reasons, the qps number is 1/100th of the  
calculated number.

Based on my calculations (as wild as anyone's in my position) 1  
million a second would handle 75% of the worlds users handily.

To make the problem even smaller, (an order of magnitude or better) I  
have implementations in place already utilizing forwarding recursive  
servers based on the DNS Shield model that make scale *really*  
reasonable and achievable, for 75% of the world. Assuming the  
gatekeepers listened.

And as Paul pointed out, no-one can defend completely against an  
intelligent DDoS. However, if 75% of the 'net is unaffected, the  
goals of the DDFH crew are likely unrealized, and they move on. Whack  
jobs notwithstanding.

*Nominum have different published numbers, but for simplicity I  
include them as capable of at least 35,000 qps.  No need to follow  
this rathole.

More information about the dns-operations mailing list