[dns-wg] Graphs of DNSKEY queries at K-root
- Previous message (by thread): [dns-wg] Graphs of DNSKEY queries at K-root
- Next message (by thread): [dns-wg] Graphs of DNSKEY queries at K-root
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Andrei Robachevsky
robachevsky at isoc.org
Tue Jun 19 17:22:44 CEST 2012
Matthäus Wander wrote on 18/06/2012 15:30: > Hi, > > Am 12.06.2012 15:58, schrieb Andrei Robachevsky: >> Assuming these are all valid queries (i.e. not belonging to the 98% of >> malformed >> queries root servers usually get), what fraction of the total valid >> queries does this >> constitute? >> >> Would the actual DNSSEC penetration rate be different from this number >> (e.g. due to possible differences in caching, etc.)? > > A validating resolver should query the root DNSKEY about once per day > (TTL/2) and a non-validating resolver not at all. With 1 q/s this would > make an estimate of at most 86k validating resolvers for K, minus extra > or malformed queries. The fraction of malformed queries is probably not > that large as validation seems to be disabled by default on most systems > (one must willfully enable validation without noticing that resolution > is broken). > > This number is a nice validation indicator but does not say anything > about the actual number of DNSSEC-enabled queries. The number of queries > with the DNSSEC OK flag set [1] is neither suitable, as it indicates all > DNSSEC-capable resolvers, not just the DNSSEC-enabled ones. > Right. There was an interesting paper at SATIN 2011 (http://conferences.npl.co.uk/satin/papers/satin2011-Gudmundsson.pdf) by Ólafur Gudmundsson and Steve Crocker, outlining a methodology for determining dnssec deployment, if RIPE NCC have interest and resources for more data mining. Andrei
- Previous message (by thread): [dns-wg] Graphs of DNSKEY queries at K-root
- Next message (by thread): [dns-wg] Graphs of DNSKEY queries at K-root
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]