[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Paul Vixie vixie at isc.org
Fri Jul 11 23:55:46 UTC 2008

> Making the broad handwaving assumpion that a DNS query is more or less 
> like a static DNS query in its overhead, one can look at the _ancient_ 
> SPECweb96 results and see that single-core systems were doing several 
> 1000's of URLs a second, even without having to resort to in-kernel http 
> acceleration.

how about 100K's of TPS, which is where a lot of dns benchmarks top out?

> If one doesn't like that handwaving, SPECweb99 has "dynamic" content 
> that could be considered "closer" to what a DNS server does.
> Those were serving many thousand simultaneous sessions.

do you think it's also reasonable to worry about the 7 packet minimum TCP size
vs. the 2 packet UDP size, and the number of RTT's that add in, and the slot
occupancy time average, and the working set size of PCB's?

> So, it may involved new hardware, but I'm not sure how big that new 
> hardware would really be.

i'm fairly sure that it would be hard for the TLD servers to cope with this
change.  maybe even for the root name servers.  and for the large recursive
servers used by large ISP's.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list