This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] dnssec validating system tag?
- Previous message (by thread): [atlas] dnssec validating system tag?
- Next message (by thread): [atlas] Probe claimed to be offline
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Stephane Bortzmeyer
bortzmeyer at nic.fr
Mon Apr 23 15:00:04 CEST 2018
On Sat, Apr 21, 2018 at 03:57:26AM +0300, Tapio Sokura <tapio.sokura at iki.fi> wrote a message of 9 lines which said: > Has there been thoughts about making the probes do dnssec resolver > statistics gathering? I.e. how many / which probes are configured > with dns resolvers that do / don't do dnssec validation? It would be a cool system tag (although there are some issues, such as probes with two resolvers, one validating and not the other). In the mean time, you can measure: % blaeu-resolve --displayvalidation -4 --requested 2000 atlas.ripe.net Measurement #12283537 for atlas.ripe.net/AAAA uses 1999 probes ... [ (Authentic Data flag) 2001:67c:2e8:22::c100:69e] : 821 occurrences [2001:67c:2e8:22::c100:69e] : 1071 occurrences [ERROR: FORMERR] : 7 occurrences [TIMEOUT(S)] : 19 occurrences [] : 1 occurrences [ (Authentic Data flag) (TRUNCATED May have to use --ednssize) 2001:67c:2e8:22::c100:69e] : 2 occurrences [ERROR: SERVFAIL] : 1 occurrences Test #12283537 done at 2018-04-23T10:45:48Z Basically, a small half of the probes used in this test have a validating resolver. "Truncated" messages are bugs somewhere. Some resolvers are probably buggy and do not like the DO bit, triggering FORMERR. If you ask only IPv6 probes, you have a better result: % ./blaeu-resolve --displayvalidation --requested 2000 atlas.ripe.net [ (Authentic Data flag) 2001:67c:2e8:22::c100:69e] : 1049 occurrences [2001:67c:2e8:22::c100:69e] : 839 occurrences [TIMEOUT(S)] : 14 occurrences [ (Authentic Data flag) (TRUNCATED May have to use --ednssize) ] : 1 occurrences [ (Authentic Data flag) (TRUNCATED May have to use --ednssize) 2001:67c:2e8:22::c100:69e] : 1 occurrences [ (TRUNCATED May have to use --ednssize) 2001:67c:2e8:22::c100:69e] : 1 occurrences [ERROR: FORMERR] : 6 occurrences Test #12283509 done at 2018-04-23T10:34:34Z Which makes sense, networks with IPv6 are probably "geekier".
- Previous message (by thread): [atlas] dnssec validating system tag?
- Next message (by thread): [atlas] Probe claimed to be offline
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]