[dns-wg] Graphs of DNSKEY queries at K-root

Matthäus Wander wrote on 18/06/2012 15:30:
> Hi,
> 
> Am 12.06.2012 15:58, schrieb Andrei Robachevsky:
>> Assuming these are all valid queries (i.e. not belonging to the 98% of
>> malformed
>> queries root servers usually get), what fraction of the total valid
>> queries does this
>> constitute?
>>
>> Would the actual DNSSEC penetration rate be different from this number
>> (e.g. due to possible differences in caching, etc.)?
> 
> A validating resolver should query the root DNSKEY about once per day
> (TTL/2) and a non-validating resolver not at all. With 1 q/s this would
> make an estimate of at most 86k validating resolvers for K, minus extra
> or malformed queries. The fraction of malformed queries is probably not
> that large as validation seems to be disabled by default on most systems
> (one must willfully enable validation without noticing that resolution
> is broken).
> 
> This number is a nice validation indicator but does not say anything
> about the actual number of DNSSEC-enabled queries. The number of queries
> with the DNSSEC OK flag set [1] is neither suitable, as it indicates all
> DNSSEC-capable resolvers, not just the DNSSEC-enabled ones.
> 

Right. There was an interesting paper at SATIN 2011
(http://conferences.npl.co.uk/satin/papers/satin2011-Gudmundsson.pdf) by
Ólafur Gudmundsson and Steve Crocker, outlining a methodology for
determining dnssec deployment, if RIPE NCC have interest and resources
for more data mining.

Andrei