Performance Effects of DNSSEC Validation - July 2022
On July 30, 2022, Petr Špaček spoke at the DNS-OARC38 conference about the performance effects of DNSSEC validation in BIND 9.Read post
BIND 9.12.0 is ready for alpha testing. We made some significant changes in this release. There are more changes that will be merged between alpha and beta, but we prioritized the biggest changes for the alpha, to maximize test coverage for them. Please help us test this release, and as usual send bug or test reports to firstname.lastname@example.org.
Please note that we have changed some default settings in this release, which is something we only do with a major version change.
We prioritized refactoring complex functions over everything else in this release, to improve the maintainability and stability of BIND for the future. We picked three of the biggest, hairiest functions and re-structured them to simplify them. Each of these is large, scored off the charts for McCabe complexity, has been a source of recent CVEs, and is an area where we continue to develop and make changes.
Code implementing name server query processing has been moved from bin/named to a new library “libns”. This will make it easier to write unit tests for name server code, or link name server functionality into new tools. We also refactored the resolver.c file and collected all the response policy (RPZ, aka DNS firewall) functions together (they were distributed throughout the code, complicating diagnosis of problems). We explained the BIND refactoring initiative in detail in an earlier blog post.
We want to encourage users to transition to more secure, more modern cryptographic algorithms, while causing as little unexpected damage as possible to users who update their software without paying much attention. In this release we have removed the default for RSA encryption, so the user has to explicitly select an algorithm and key length. This change may break some scripts and may even cause a surprise algorithm change for some people, but it was the gentlest way of migrating we could think of. Since the discovery of the SHA-1 collision, nobody should use SHA-1 when there are many newer, more secure options available.
dnssec-keygen and dnssec-keymgr will no longer generate RSA keys less than 1024 bits in length, although we will still validate short keys. We have also added support for the new Ed25519 algorithm for DNSSEC, in anticipation of a release of a stable version of OpenSSL that supports it. (Ed448 support is still pending OpenSSL support.)
In keeping with the theme of renewal, we have removed some legacy features. We announced we are no longer supporting Windows XP. We ended support for the lightweight resolver daemon and library (lwresd and liblwres) and removed them from 9.12: we recommend lwresd users try the getdns api. We removed the dig+sigchase feature, which was replaced with the delv tool in 9.10.
A survey of our subscribers in the beginning of 2017 showed that performance was a significant concern. This release includes a number of small changes, and one large one - the addition of a special cache for glue records - that together improve authoritative performance noticeably. Performance of glue-heavy applications such as TLDs is improved by as much as 500% (yes, that is five times faster!). minimal-responses is now set to
yes by default, which also contributes significantly to improved performance.
BIND is still not going to be the fastest DNS system in a race, but now that we have a good performance testing system, we are able to easily validate improvements and avoid performance regressions.
There are not many new features in this release because of the focus on renewing the code. However, because DDoS attacks against DNS systems were growing in scale during 2016, we also wanted to update the resolver’s ability to maintain service during an effective DDoS of either the DNS root, a top-level domain, or another frequently-consulted popular authoritative zone.
We added NSEC Aggressive Use, supported by funding from APNIC, to enable the resolver to construct an answer for a root zone query from information already obtained in previous queries. In this alpha we are constructing answers from prior NXDOMAIN responses; we have still to add synthesizing answers from NODATA responses and support for wildcards.
Akamai contributed a patch, written by a former member of the BIND 9 development team, that implements Serve Stale. Serve Stale returns a stale answer when a fresh answer is unavailable due to an unresponsive authority. Akamai has been using a version of BIND with this patch internally for several years with good results. A similar approach enabled some public resolvers to continue to offer access to popular sites like Twitter during the October 2016 massive DDoS against Dyn and we wanted BIND to have the same ability.
As always, we had a lot of help from our friends. This release will include a number of bug fixes that would never have happened without the active support of BIND users who reported problems or contributed patches. We will publish the list of technical contributors with the final, because there are more patches in review now.
While this release is in alpha testing, the BIND 9 development team will continue work on the NSEC aggressive use feature (adding support for wildcards and synthesis from NODATA responses), add unit tests for refactored code, review and commit submitted patches, and investigate the most severe outstanding bug reports. If there is time, we also hope to replace our Windows installer, do a bit more work on TCP pipelining, and address a few longstanding customer requests. Of course, we will also be looking for and addressing bug reports from alpha testing.
We plan to issue a beta in October and to release a final before the end of 2017.
For more information - see the Release Notes for 9.12.0 alpha
What's New from ISC