VeriSign's rapid DNS updates in .com/.net (fwd from ml)

Thu Jul 22 17:27:22 UTC 2004

I got forwarded this URL from Patrick McManus. I haven't had a chance to
read the paper myself yet so I won't comment on it. I've included the link
and the abstract below.

A choice quote is "these results suggest that the performance of DNS is
not as dependent on aggressive caching as is commonly believed, and that
the widespread use of dynamic, low-TTL A-record bindings should not
degrade DNS performance."

http://nms.lcs.mit.edu/papers/dns-imw2001.html

Abstract:

This paper presents a detailed analysis of traces of DNS and associated 
TCP traffic collected on the Internet links of the MIT Laboratory for 
Computer Science and the Korea Advanced Institute of Science and 
Technology (KAIST). The first part of the analysis details how clients at 
these institutions interact with the wide-area DNS system, focusing on 
performance and prevalence of failures. The second part evaluates the 
effectiveness of DNS caching. 

In the most recent MIT trace, 23% of lookups receive no answer; these 
lookups account for more than half of all traced DNS packets since they 
are retransmitted multiple times. About 13% of all lookups result in an 
answer that indicates a failure. Many of these failures appear to be 
caused by missing inverse (IP-to-name) mappings or NS records that point 
to non-existent or inappropriate hosts. 27% of the queries sent to the 
root name servers result in such failures. 

The paper presents trace-driven simulations that explore the effect of 
varying TTLs and varying degrees of cache sharing on DNS cache hit rates. 
The results show that reducing the TTLs of address (A) records to as low 
as a few hundred seconds has little adverse effect on hit rates, and that 
little benefit is obtained from sharing a forwarding DNS cache among more 
than 10 or 20 clients. These results suggest that the performance of DNS 
is not as dependent on aggressive caching as is commonly believed, and 
that the widespread use of dynamic, low-TTL A-record bindings should not 
degrade DNS performance. 

Sam

On Thu, 22 Jul 2004, Sam Stickland wrote:

> 
> I think I ought to qualify my earlier email - I certainly didn't mean to 
> suggest that this would happen. I meant to merely comment on what the 
> expected increase in load might be if we did see a trend towards lower 
> TTLs.
> 
> Any trend towards lower TTLs would be outside of Verisign's control 
> anyhow, and if it did happen, it would no doubt be a gradual effect. Which 
> brings me back to my original question - does anyone know of any stastics 
> for TTL values?
> 
> Sam
> 
> On Thu, 22 Jul 2004, Henry Linneweh wrote:
> 
> > 
> > Before a big panic starts, they can restore it back to
> > the way it was if there is an event of such proportion
> > to totally hoze the entire network or any major
> > portion of it, until they fix any major issue with
> > these changes....
> > 
> > -Henry
> > 
> > --- Sam Stickland <sam_ml at spacething.org> wrote:
> > > 
> > > Well, a naive calculation, based on reducing the TTL
> > > to 15 mins from 24
> > > hours to match Verisign's new update times, would
> > > suggest that the number
> > > of queries would increase by (24 * 60) / 15 = 96
> > > times? (or twice that if 
> > > you factor in for the Nyquist interval).
> > > 
> > > Any there any resources out there there that have
> > > information on global 
> > > DNS statistics? ie. the average TTL currently in
> > > use.
> > > 
> > > But I guess it remains to be seen if this will have
> > > a knock on effect like 
> > > that described below. Verisign are only doing this
> > > for the nameserver 
> > > records at present time - it just depends on whether
> > > expection for such 
> > > rapid changes gets pushed on down.
> > > 
> > > Sam
> > > 
> > > On Thu, 22 Jul 2004, Ray Plzak wrote:
> > > 
> > > > 
> > > > Good point!  You can reduce TTLs to such a point
> > > that the servers will
> > > > become preoccupied with doing something other than
> > > providing answers.
> > > > 
> > > > Ray
> > > > 
> > > > > -----Original Message-----
> > > > > From: owner-nanog at merit.edu
> > > [mailto:owner-nanog at merit.edu] On Behalf Of
> > > > > Daniel Karrenberg
> > > > > Sent: Thursday, July 22, 2004 3:12 AM
> > > > > To: Matt Larson
> > > > > Cc: nanog at merit.edu
> > > > > Subject: Re: VeriSign's rapid DNS updates in
> > > .com/.net
> > > > > 
> > > > > 
> > > > > Matt, others,
> > > > > 
> > > > > I am a quite concerned about these zone update
> > > speed improvements
> > > > > because they are likely to result in
> > > considerable pressure to reduce
> > > > > TTLs **throughout the DNS** for little to no
> > > good reason.
> > > > > 
> > > > > It will not be long before the marketeers will
> > > discover that they do not
> > > > > deliver what they (implicitly) promise to
> > > customers in case of **changes
> > > > > and removals** rather than just additions to a
> > > zone.
> > > > > 
> > > > > Reducing TTLs across the board will be the
> > > obvious *soloution*.
> > > > > 
> > > > > Yet, the DNS architecture is built around
> > > effective caching!
> > > > > 
> > > > > Are we sure that the DNS as a whole will remain
> > > operational when
> > > > > (not if) this happens in a significant way?
> > > > > 
> > > > > Can we still mitigate that trend by education of
> > > marketeers and users?
> > > > > 
> > > > > Daniel
> > > > 
> > > 
> > > 
> > 
> 