This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Graphs of DNSKEY queries at K-root
- Previous message (by thread): [dns-wg] Graphs of DNSKEY queries at K-root
- Next message (by thread): [dns-wg] Graphs of DNSKEY queries at K-root
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Andrei Robachevsky
robachevsky at isoc.org
Tue Jun 19 17:22:44 CEST 2012
Matthäus Wander wrote on 18/06/2012 15:30: > Hi, > > Am 12.06.2012 15:58, schrieb Andrei Robachevsky: >> Assuming these are all valid queries (i.e. not belonging to the 98% of >> malformed >> queries root servers usually get), what fraction of the total valid >> queries does this >> constitute? >> >> Would the actual DNSSEC penetration rate be different from this number >> (e.g. due to possible differences in caching, etc.)? > > A validating resolver should query the root DNSKEY about once per day > (TTL/2) and a non-validating resolver not at all. With 1 q/s this would > make an estimate of at most 86k validating resolvers for K, minus extra > or malformed queries. The fraction of malformed queries is probably not > that large as validation seems to be disabled by default on most systems > (one must willfully enable validation without noticing that resolution > is broken). > > This number is a nice validation indicator but does not say anything > about the actual number of DNSSEC-enabled queries. The number of queries > with the DNSSEC OK flag set [1] is neither suitable, as it indicates all > DNSSEC-capable resolvers, not just the DNSSEC-enabled ones. > Right. There was an interesting paper at SATIN 2011 (http://conferences.npl.co.uk/satin/papers/satin2011-Gudmundsson.pdf) by Ólafur Gudmundsson and Steve Crocker, outlining a methodology for determining dnssec deployment, if RIPE NCC have interest and resources for more data mining. Andrei
- Previous message (by thread): [dns-wg] Graphs of DNSKEY queries at K-root
- Next message (by thread): [dns-wg] Graphs of DNSKEY queries at K-root
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]