ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Will user-keys cause DNS cache to explode?

2005-08-03 02:42:47
from [Douglas Otis] [Permanent Link] 


On Aug 3, 2005, at 2:03 AM, Tony Finch wrote:
I think this will be less of a problem than you might expect (though my experience and evidence is at the tens of thousands of users level rather 
than the millions of users level).
In the limit (no cache hits), the volume of DNS cache space used by DKIM keys will scale with the volume of email processed by the site, however we 
hope that DNS caches will provide some benefit so the cache space used
will be less than this. In practice this benefit is surprisingly small
because of the very heavy tail on the distribution of domains - I use the present tense because this is true now for the DNS lookups performed by 
current MTAs in response to incoming email, e.g. sender domain
verification. We're already close to at least one non-repeated lookup per message. DKIM probably won't make it much worse even with per-user keys, 
and the damage can be mitigated by low TTLs.
The following paper is very relevant to this. Its conclusion is that the 
DNS is scalable because of the cacheing of NS records. Leaf record
cacheing (they talk about A records looked up by clients, but the same
would be true for email-driven lookups - MXs and DKKs) provides much less benefit. The corollary is that increasing the load on the leafs is not an 
attack on the foundations of DNS's scalability.
  http://nms.csail.mit.edu/projects/dns/
While there has been HTTP domain growth, as this paper indicates, such domain use is not evenly distributed in use (heavy tail). Should user-keys become widely deployed, perhaps to support applications like OpenPGP or S/MIME, where the desire would be to offer such keys to each and every user, this would create a broad distribution of use. This may create several orders of growth in the amount of data placed into the DNS cache. DNS cache represents a limited resource. With already a quarter of DNS responses being dropped, adding more UDP traffic will not improve upon this figure either. At what point will DNS become unstable? This paper suggests that 10 minute TTLs on A records would not represent a problem. Keys however represent about 2 orders more DNS cache resource and potentially in much greater numbers than domain names for locating servers.
I think there should be a study that attempts to project the impact of a worst case scenario where DKIM user-keys become popular for uses beyond being delegated to just ad agencies and mobile users. 

-Doug
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DoS and Replay protection for message signatures, Douglas Otis
Next by Date:  Re: Comments on draft-allman-dkim-base-00.txt, Jon Callas
Previous by Thread:  Re: Will user-keys cause DNS cache to explode?, Tony Finch
Next by Thread:  RE: Will user-keys cause DNS cache to explode?, Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]