[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

Wes Hardaker wjhns1 at hardakers.net
Tue May 27 13:41:29 UTC 2008

>>>>> On Tue, 27 May 2008 04:51:59 +0000, Paul Vixie <paul at vix.com> said:

PV> i am especially concerned about the amount of duplicated backbone and 
PV> authority server traffic if every app on every host has its own full
PV> resolver which is a building block of such a validator.  right now we
PV> tend to cache at least at the host level and often at the LAN level.
PV> if we go to an "every app for itself" model, i fear the
PV> provisioning.

I don't think that adding app-specific caching to modern applications
will have much downside in terms of memory usage when compared to what
applications are already eating up.

In terms of added code size the static libval library from DNSSEC-Tools
near a half a meg:

  -rw-r--r-- 1 hardaker group 549822 May 12 10:55 libval-threads.a

But if you're worried about data-caching itself (as you indicated) then
let's think:

- We've already shown in this thread that the only net traffic increase
  will between the local resolver and the application (assuming the
  caching resolver would do validation if the application didn't, which
  was the start of the discussion).

- Most applications these days are *huge* in size compared to anything
  DNS might need to store.  EG for a fairly newly running firefox 3:

  3517 hardaker  20   0  197m  62m  21m S  8.0  4.1   0:28.59 firefox
  Somehow I don't think DNS caching is going to make a huge increase in
  those sizes.  The code size is likely to be a bigger issue than the
  size of the cached data.

- For small applications, most don't do a huge amount of lookups (wget,
  pine, etc)

- For small applications that actually do a huge number of lookups (web
  proxies?) then the size of the cache could grow to a level that could
  possibly impact the running system.

- If the device is small and the memory issue is real, then you could
  always decrease the cache size so it would preform more lookups (to
  the near-by caching resolver) at the trade off of speed and increased
  network usage.

I seriously doubt that in-application caching will cause a memory
increase that will seriously negatively affect most of the use cases
that exist.

"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett

More information about the dns-operations mailing list