DNS: Hardware Accelerator Time!

In Episode 157 of Security Now,Steve Gibson and Leo Laporte discuss the recently discovered security issues with DNS. In particular, the cost of making a good fix in terms of bandwidth and computation capacity. Fundamentally, according to Steve, today’s DNS servers are running at a fairly high load, and there is no room to improve the security of DNS updates by for example sending extra UDP packets or switching to TCP/IP. As this theoretically means a doubling or tripling of the number of packets per query, I can believe that. The “real solutions” to DNS problems should lie in the adoption of a truly secured protocol like DNSSEC. As this uses public key crypto (PKC), it would add a processing load to the servers that would kill the DNS servers on the CPU side instead…

Since Steve is a general PC guy, he seems to have a hard time acknowledging that you need anything but an x86 processor (or a few). However, in this episode he did note that this would greatly benefit from special-purpose acceleration hardware for PKC. So here is a clear-cut case where the addition of specialized accelerators make sense even in what is considered “general” computing. This is a favorite theme of mine, see previous blog posts like the Kunle Olukotun Interview, IBM z10 accelerators, and my Niagara 2 writeup.

So here we have it: special-purpose acceleration will save the Internet, and the only architecture missing processors with good crypto accelerators seems to be x86. SPARC, Power Arch, and zSeries all have chips with accelerators on them. One would presume that either AMD or Intel — maybe more likely AMD who are now working hard on integrating things like GPUs on their chips — will soon release an x86 with this kind of support. It is also a case where general multicore use does not really make much sense, as using an additional general-purpose core is going to have much worse performance per energy or per area than a dedicated accelerator.

The future is heterogeneous and full of accelerators, I still believe that is the case.

One thought on “DNS: Hardware Accelerator Time!”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.