Presentation is loading. Please wait.

Presentation is loading. Please wait.

A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015.

Published byPhebe Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015."— Presentation transcript:

1 A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015

2 Verisign Public RSSAC003 – RSSAC Advisory on Root zone TTLs Consider the extent to which: (1) the current root zone TTLs are appropriate for today’s environment (2) lowering the NS RRset TTL makes sense (3) the impacts that TTL changes would have on the wider DNS Work party volunteers: Duane Wessels, Warren Kumari, Jaap Akkerhuis, Shumon Huque, Brian Dickson, John Bond, Joe Abley, and Matthew Thomas Full report published September 16 th, 2015 https://www.icann.org/en/system/files/files/rssac-003-root-zone-ttls-21aug15-en.pdf 2

3 Verisign Public RSSAC003 – RSSAC Advisory on Root zone TTLs 1. Document the history of TTLs in the root zone 2. Obtain a measure for TLD managers’ technical preferences for NS and DS TTLs by surveying what those managers have published in TLD zones. 3. Survey "max-cache-ttl" parameters of various recursive implementations 4. Analyze DITL data for the extent that recursive resolvers honor TTLs 5. Study interactions between the SOA refresh timer and serving stale data 3

4 Verisign Public Waiting for a TTL to expire in theory 4 http://dnsreactions.tumblr.com/post/127469871134/waiting-for-a-2-day-ttl-to-expire

5 Verisign Public Waiting for a TTL to expire in the real world… 5 dig @a.root- servers.net. ns. 518400 IN NSa.root-servers.net.. 518400 IN NSb.root-servers.net.. 518400 IN NSc.root-servers.net. ….

6 Verisign Public DITL Data 6 Data Caveats I-Root & B-Root data removed due to anonymization. Obvious spoofed IP ranges removed. Data stored in PCAP files partitioned by root operator. In order to obtain measurements, we need to massage the raw DITL data into a more optimal format… YearABCDEFGHIJKLM 2014XXXXXX*XXX 2015XX*XXX XXXX

7 Verisign Public Grouping, Sorting, and Measuring DITL 7 Time IP 1 IP 2 TLD 1 TLD 2 TLD 1 T1T1 T2T2 T3T3 Group by IP address and TLD Sort by Time Measure elapsed time between queries for group Use median of distribution of inter-query time deltas

8 Verisign Public Some basic inter-query DITL measurement stats 8 20142015 Roots Analyzed88 Delegated TLDs at DITL Collection534*905* IP-TLD Observations106MM165MM Inter-query Time Measurements8.75B18.27B Observed IPs9.78MM11.03MM As one might expect, the data follows exhibits a long tail distribution… * Includes “.” and “root-servers.net.”

9 Verisign Public Queries and Measurements by IPs 9 ~65% of IPs have 10 or fewer Measurements

10 Verisign Public Delegated TLDs Requested by IP 10

11 Verisign Public Total Requests by TLD 11

12 Verisign Public Total Requests by TLD vs. NS TTL (2014 DITL) 12

13 Verisign Public General Inter-Query Delay at the Roots 13

14 Verisign Public Inter-Query Delay at the Roots by TLD Type (2015) 14

15 Verisign Public Potential Impacts by Altering Root TTLs 15

16 Verisign Public Surveying “max-cache-ttl” behavior of large Open Recursive Name Servers 16

17 Verisign Public max-cache-ttl Popular caching name servers have a “Max TTL” setting Not specific to Root or any other zone. Learning what we can about popular recursive services might inform authoritative TTL choices. 17

18 Verisign Public Survey Technique Write custom name server (thanks ldns!) Send TXT queries under zone ‘epoch.verisignlabs.com’ to open recursives Return TXT response with time-of-query in rdata and a 10-day TTL: 18 [dwessels@nfarnsworth ~]$ dig a4x90f8.epoch.verisignlabs.com TXT ;; ANSWER SECTION: a4x90f8.epoch.verisignlabs.com. 604800 IN TXT "At the tone, the time will be 1442263295. Beep!" Repeat same query later Measure time-in-cache for a particular response Plot time-of-measurement vs returned-TTL

19 Verisign Public UltraDNS 19 8 Unique cached records

20 Verisign Public Dyn 20 13 Unique cached records

21 Verisign Public OpenDNS 21 104 Unique cached records

22 Verisign Public Google 22 250 Unique cached records

23 Verisign Public Google - Hourly 23

24 Verisign Public An Extreme Case Thu May 21 05:56:32 EDT 2015 = 1432202192 1432202192 - 1432182858 = 19334 TTL should be 21600 - 19334 = 2266 TTL is 5+ hours larger than expected 24 ; > DiG 9.9.5-3ubuntu0.2-Ubuntu > @8.8.8.8 rssac.epoch.verisignlabs.com txt ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61987 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;rssac.epoch.verisignlabs.com. IN TXT ;; ANSWER SECTION: rssac.epoch.verisignlabs.com. 20691 IN TXT "At the tone, the time will be 1432182858. Beep!" ;; Query time: 8 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu May 21 05:56:32 EDT 2015 ;; MSG SIZE rcvd: 118

25 Verisign Public Conclusions Difficult measurement due to data size, tools available and duration of DITL collection window. Root zone TTLs appear to not matter to most clients. Largest variations in TTL adherence observed at TLD level Traffic to root name servers would change very little if TTLs were reduced to 1 day. Popular open recursive name servers cache for 1 day or less. 25

26 © 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Download ppt "A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015."

Similar presentations

Chapter 16. Windows Internet Name Service(WINS) Network Basic Input/Output System (NetBIOS) N etBIOS over TCP/IP (NetBT) provides commands and support.

Chapter 16. Windows Internet Name Service(WINS) Network Basic Input/Output System (NetBIOS) N etBIOS over TCP/IP (NetBT) provides commands and support.
Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.

Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.

Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
Introduction to the DNS AfCHIX 2011 Blantyre, Malawi.

Introduction to the DNS AfCHIX 2011 Blantyre, Malawi.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Chapter 25 Domain Name System.

McGraw-Hill©The McGraw-Hill Companies, Inc., Chapter 25 Domain Name System.
CSEE W4140 Networking Laboratory Lecture 10: DNS Jong Yul Kim 04.12.2010.

CSEE W4140 Networking Laboratory Lecture 10: DNS Jong Yul Kim
Recursive Server. Overview Recursive Service Root server list localhost 0.0.127.in-addr.arpa named.conf.

Recursive Server. Overview Recursive Service Root server list localhost in-addr.arpa named.conf.
Domain Name System: DNS

Domain Name System: DNS
CSEE W4140 Networking Laboratory Lecture 10: DNS Jong Yul Kim 04.08.2009.

CSEE W4140 Networking Laboratory Lecture 10: DNS Jong Yul Kim
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Presented by Neeta Jain CISC 856 TCP/IP and Upper Layer Protocols RFC 1034 & RFC 1035.

Presented by Neeta Jain CISC 856 TCP/IP and Upper Layer Protocols RFC 1034 & RFC 1035.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Linux Networking Commands

Linux Networking Commands
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Similar presentations

Ads by Google