[dns-operations] getting DNSSEC trust chains, was Re: Massive DNS poisoning attacks in Brazil

Tony Finch dot at dotat.at
Wed Oct 3 16:54:57 UTC 2012

Vernon Schryver <vjs at rhyolite.com> wrote:
> That's a good point, except I can only go with "somewhat useful".

Try www.apple.com which is a typically pathological akamaized site:

www.apple.com.          1756    IN      CNAME   www.isg-apple.com.akadns.net.
www.isg-apple.com.akadns.net. 16 IN     CNAME   www.apple.com.edgekey.net.
www.apple.com.edgekey.net. 21557 IN     CNAME   e3191.c.akamaiedge.net.
e3191.c.akamaiedge.net. 20      IN      A

Which is four round trips and 38 queries, for A and AAAA and all the
DNSKEY and DS RRsets - it would only need 22 queries if the client knows
where the zone cuts are, but to find that out requires extra round trips.

The actual amount of data to validate this CNAME chain (if it were signed)
is about 9KB. If you gather the data with separate queries then it'll be
more like 20KB because of all the negative responses for missing zone

So if you have a 1 Mbit/s downlink with 50 ms latency that's getting on
for half a second delay, about twice as long as if you could get the
whole chain in one (TCP) request.

In order for DANE not to harm performance, a client needs to be able to
fetch and validate the TLSA RRset during the time it takes to connect to
the remote server and receive its certificate (a DNS lookup and two round
trips, for the TCP handshake and half the TLS handshake).

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the dns-operations mailing list