ICANN Announcements

Read ICANN Announcements to stay informed of the latest policymaking activities, regional events, and more.

Deployment of DNSSEC in the Root Zone: Impact Analysis

14 April 2011

In 2010 ICANN commissioned a study from DNS-OARC to examine the impact of DNSSEC deployment in the root zone, and in particular the effects on clients from the large DNS responses resulting from the use of a Deliberately Unvalidatable Root Zone (DURZ).

The DNS-OARC study drew upon the results of a coordinated data collection exercise by root server operators, with each data collection window timed to coincide with a transition by one or more root servers [TXT, 28 KB] from serving an unsigned root zone to serving the DURZ.

ICANN is publishing this report in order to share its findings with the wider DNS community.

The conclusion of the DNS-OARC study is included below.

The average message size of UDP-based DNS response size grew by about 40%, from 405 to 569 octets. The largest observed responses were just over 900 octets.

There is evidence that the introduction of the DURZ resulted in an increase in the number of query retries for some types of query, but it is unclear whether this corresponds to clients with path MTU issues or is simply path MTU discovery at work. The apparent absence of any problem reports strongly suggests the latter.

The number of TCP-based DNS queries to the root servers increased by approximately 1333%, from 30 per second prior to the introduction of the DURZ to around 400 per second afterwords. However, TCP-based queries, which were a miniscule 0.02% of total query traffic before the DURZ, were still only 0.17% of it afterwords. While 400 TCP connections per second may seem high, it is small relative to available capacity, particularly as the root servers comprise approximately 300 individual nodes. The number of clients using TCP for DNS queries rose by over 1800% from around 1600 distinct sources per hour to nearly 30,000. This is still a tiny fraction of all DNS clients.

Deployment of DNSSEC in the Root Zone: Impact Analysis [PDF, 799 KB]