Loading Times for DNSSEC-enabled Zones

This set of measurements test the time it takes for a server to load a signed zone vs. the time it takes to load an unsigned zone. Here, load time is defined as the time when the server daemon starts/restarts to the time it is ready to answer queries. The server may do other things during this time, but those values are a constant and short compared to the time it takes to load a zone from a static file.

System Information: 64-bit server
DNS Information: single zone with variable number of names in the zone. Each name has one, five or ten RRs associated with each name. DNSSEC-enabled zones signed using a single 1024 bit zone signing key.

BIND Results

The BIND centric tests used version 9.4.1 and included the basic named.conf configuration for an authoritative only server. Each scenario was run several times and the results averaged to produce a single load time. For zones that contain one, five and ten RRs per owner name, the following graphs are produced:

For 1 RR per ownername

num. ownernames	unsigned (ms)	signed (ms)
500	18.2	128.8
1000	22.6	166.2
2500	36.8	304.4
5000	60.8	594.4
7500	85	885.8
10000	109.6	1178.6
15000	158.6	1763.2
20000	208.4	2150.6
25000	258	2937.6
30000	308.2	3526.6

For 5 RRs per ownername

num. ownernames	unsigned (ms)	signed (ms)
500	32.2	166.2
1000	55.4	319
2500	119	780
5000	228.8	1756.8
7500	346.8	2336.4
10000	445.8	3104.4
15000	666.6	4656.2
20000	897.4	6231
25000	1084.8	7758.4
30000	1138.2	9369.4

For 10 RRs per ownername

num. ownernames	unsigned (ms)	signed (ms)
500	123.2	297.8
1000	233.6	573.8
2500	577.2	1418.2
5000	1125.8	2336.4
7500	1688.4	2845.4
10000	2254.6	5672.4
15000	3379.2	8516.6
20000	4515.2	11422.4
25000	5649.2	14048.4
30000	6784	17114.6

Discussion

First thing that is seen is the rapid increase in loading time when DNSSEC is introduced. This should not be a big surprise when considering the previous discussion on zone file size growth with DNSSEC. Taking those numbers into consideration, it naturally follows that the zone with 10 RRs per owner name would take longer to load than a zone with only one RR per owner name because, when signed, there is a RRSIG for each RRset (in every zone in the test, each RRset is made up of one record), so the more unique RRs in a zone, the more RRSIGs there will be when a zone is signed. From the previous study, RRSIGs make up the majority of a signed zone (i.e. they are often the largest RRsets in the zone), so the more RRSIG RRs in a zone, the longer it takes to load.

NSD Results

The same zones in the BIND tests above were repeated using NSD (ver. 3.0.7). However, given the way NSD operates, the time required includes not just the NSD server daemon load times, but also the time spent contstructing the NSD formatted database. NSD is different than BIND in that there is a pre-processing step involved that converts the text zone file to a specially formatted database file which can be quickly loaded into the zone server. This allows the server to be started quickly, but requires a seperate step in coverting the zone data to the NSD readable file.

For 1 RR per ownername

num. ownernames	unsigned (ms)	signed (ms)
500	1	8
1000	3	15
2500	8	33
5000	15	65
7500	20	98
10000	27	127
15000	42	190
20000	54	255
25000	67	318
30000	81	338

For 5 RRs per ownername

num. ownernames	unsigned (ms)	signed (ms)
500	5	19
1000	9	33
2500	21	83
5000	39	161
7500	58	238
10000	77	319
15000	113	476
20000	152	637
25000	188	800
30000	231	958

For 10 RRs per ownername

num. ownernames	unsigned (ms)	signed (ms)
500	17	736
1000	31	1661
2500	77	4195
5000	150	8420
7500	231	12621
10000	297	16921
15000	448	25213
20000	600	34495
25000	751	42829
30000	910	50602

Questions or comments should be sent to the SNIP admin

NIST is an agency of the U.S. Department of Commerce. Privacy policy / security notice / accessibility statement / Disclaimer / Freedom of Information Act (FOIA) / No Fear Act Data
Date created 9/16/2008. Last updated 9/17/2009.