Graphs of DNSKEY queries at K-root
Dear colleagues, During the DNS Working Group session at RIPE 64, Olaf Kolkman asked the RIPE NCC to provide graphs of DNSKEY queries arriving at K-root. These graphs, especially the yearly one, are a good indicator about the level of DNSSEC validation happening for the root zone. We have enabled automatic generation of these graphs. They are available at: http://k.root-servers.org/statistics/ROOT/dnskey_queries.html If you have any questions, please email <dns@ripe.net>. Regards, Anand Buddhdev RIPE NCC
Hi Anand, Thank you for publishing this. Assuming these are all valid queries (i.e. not belonging to the 98% of malformed queries root servers usually get), what fraction of the total valid queries does this constitute? Would the actual DNSSEC penetration rate be different from this number (e.g. due to possible differences in caching, etc.)? Thanks, Andrei Anand Buddhdev wrote on 11/06/2012 11:51:
Dear colleagues,
During the DNS Working Group session at RIPE 64, Olaf Kolkman asked the RIPE NCC to provide graphs of DNSKEY queries arriving at K-root. These graphs, especially the yearly one, are a good indicator about the level of DNSSEC validation happening for the root zone.
We have enabled automatic generation of these graphs. They are available at: http://k.root-servers.org/statistics/ROOT/dnskey_queries.html
If you have any questions, please email <dns@ripe.net>.
Regards,
Anand Buddhdev RIPE NCC
-- Andrei Robachevsky Technology Program Manager Internet Society www.isoc.org
Hi, Am 12.06.2012 15:58, schrieb Andrei Robachevsky:
Assuming these are all valid queries (i.e. not belonging to the 98% of malformed queries root servers usually get), what fraction of the total valid queries does this constitute?
Would the actual DNSSEC penetration rate be different from this number (e.g. due to possible differences in caching, etc.)?
A validating resolver should query the root DNSKEY about once per day (TTL/2) and a non-validating resolver not at all. With 1 q/s this would make an estimate of at most 86k validating resolvers for K, minus extra or malformed queries. The fraction of malformed queries is probably not that large as validation seems to be disabled by default on most systems (one must willfully enable validation without noticing that resolution is broken). This number is a nice validation indicator but does not say anything about the actual number of DNSSEC-enabled queries. The number of queries with the DNSSEC OK flag set [1] is neither suitable, as it indicates all DNSSEC-capable resolvers, not just the DNSSEC-enabled ones. Kind regards, Matt [1] http://k.root-servers.org/statistics/ROOT/dnssec.html
Matthäus Wander wrote on 18/06/2012 15:30:
Hi,
Am 12.06.2012 15:58, schrieb Andrei Robachevsky:
Assuming these are all valid queries (i.e. not belonging to the 98% of malformed queries root servers usually get), what fraction of the total valid queries does this constitute?
Would the actual DNSSEC penetration rate be different from this number (e.g. due to possible differences in caching, etc.)?
A validating resolver should query the root DNSKEY about once per day (TTL/2) and a non-validating resolver not at all. With 1 q/s this would make an estimate of at most 86k validating resolvers for K, minus extra or malformed queries. The fraction of malformed queries is probably not that large as validation seems to be disabled by default on most systems (one must willfully enable validation without noticing that resolution is broken).
This number is a nice validation indicator but does not say anything about the actual number of DNSSEC-enabled queries. The number of queries with the DNSSEC OK flag set [1] is neither suitable, as it indicates all DNSSEC-capable resolvers, not just the DNSSEC-enabled ones.
Right. There was an interesting paper at SATIN 2011 (http://conferences.npl.co.uk/satin/papers/satin2011-Gudmundsson.pdf) by Ólafur Gudmundsson and Steve Crocker, outlining a methodology for determining dnssec deployment, if RIPE NCC have interest and resources for more data mining. Andrei
Anand, On Mon, Jun 11, 2012 at 11:51:54AM +0200, Anand Buddhdev wrote:
We have enabled automatic generation of these graphs. They are available at: http://k.root-servers.org/statistics/ROOT/dnskey_queries.html
this is a good start, but since the graph looks like a DSC excerpt, can we assume that these are queries for any QNAME or only QNAME="."? Also, to get some intel about validation deployment, would it be possible to factor in the number of sources, as well? Thanks, Peter
participants (4)
-
Anand Buddhdev -
Andrei Robachevsky -
Matthäus Wander -
Peter Koch