[dns-operations] Root DNSSEC deployment information: J root traffic graphs for week of 12 April

Matt Larson mlarson at verisign.com
Sat Apr 17 19:41:00 UTC 2010


Dear colleagues,

As you might recall, five more root servers transitioned to serving
the DURZ (the "deliberately unvalidatable root zone") this past week
on 14 April.  As of approximately 2200 UTC on that day, all root
servers except J root are now serving a signed root zone.  If there
are recursive name servers (or other DNS clients) unable to process
the signed responses because of their increased size or the presence
of DNSSEC metadata, presumably those clients will eventually try J
root.  Therefore it's a reasonable hypothesis that an increase in
traffic to J root could indicate a potential problem with a particular
population of clients.

All the root operators submitted (or, in some cases, are still
submitting) packet capture data for approximately 48 hours surrounding
these latest DURZ deployments.  The DNSSEC design team (chiefly Duane
Wessels of VeriSign) is analyzing this data and we hope to be able to
draw conclusions and present results as we've been doing since the
DURZ rollout started.

But in the meantime, I looked to VeriSign's monitoring tools to
provide preliminary data about J root traffic volume and I've attached
several graphs.  The time and date range on all graphs is 00:00:00 UTC
on Monday, 12 April through 23:59:59 UTC on Saturday, 17 April.
However, all the graphs were generated before the end of that range
(it's not even midnight UTC on 17 April as I write this), which
explains why the righthand portion of the graphs is not filled in.
All data points are based on 10-second averages of the quantity being
plotted.  J root is anycast to approximately 70 locations, but around
15 locations are much larger than the others (i.e., multi-gigabit
connectivity).  The attached graphs plot only the 13 largest J root
instances, but should represent the vast majority of the traffic.
Most J root instances are "global" (i.e., not routing restrictions
like BGP no-export), including the 13 plotted in the attached graphs.

The first graph plots UDP DNS queries.

The second graph plots the same UDP query data points but is smoothed.

The third graph plots TCP queries (strictly speaking, it plots packets
to tcp/53 with the SYN flag set, but this value should be very close
to TCP DNS queries).

By my reading, there is really not any change worth noting after the
final DURZ deployments (minus J) on 14 April.  I think this is quite a
positive preliminary result.

We'll continue to crunch numbers and keep the community informed.  As
always, suggestions for analysis are welcome.  One active area of
analysis right now (that was planned but reinforced by suggestions at
IETF 77) is investigating the movement of source IP address from
server to server, e.g., are more sources shifting to J now that only
it remains unsigned?

The design team's web site is www.root-dnssec.org and you can reach us
at rootsign at icann.org.

Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: j-root-week-of-2010-04-12.png
Type: application/octet-stream
Size: 18991 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100417/b684538f/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: j-root-week-of-2010-04-12-smoothed.png
Type: application/octet-stream
Size: 13151 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100417/b684538f/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: j-root-week-of-2010-04-12-tcp.png
Type: application/octet-stream
Size: 7930 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20100417/b684538f/attachment-0002.obj>


More information about the dns-operations mailing list