[ksk-rollover] Thoughts on 5011 compliance detection.

Michael StJohns msj at nthpermutation.com
Mon Jul 25 19:57:44 UTC 2016 

Hi -

A discussion on 5011 with Wes Hardaker got me thinking about ways of 
detecting whether or not a client querying the root has 5011 support.

5011 has very definite timing recommendations for queries (section 
2.3).  I'm wondering if looking at the data sets for queries to the root 
and the intervals between those queries might reveal the majority of 
5011 capable clients?

So:

 1. Determine the queryInterval and retryTime based on the formulas in
    2.3 for the current DNSKEY RRSet.
 2. Grab all the queries from all of the root servers that satisfy the
    characteristic that they were for the DNSKEY RRSet and associated
    RRSig only along with when they were received.
 3. Consolidate them somewhere.
 4. Sort and group by query address.
 5. Determine the intervals between subsequent queries for each group.
 6. Separate the intervals into retryTime periods, queryInterval time
    periods and non-compliant periods (e.g. everything not within 5%
    either way of the values calculated in step 1).
 7. Score each client based on the proportions of query and retry vs
    non-compliant periods.
 8. Set aside the data sets showing > 20% non-compliance for later analysis.
 9. Change one or more of the signature or TTL times in a way that
    causes a change in the query and retry intervals.
10. Repeat 1-8 again and correlate the results against the first run
    looking for query patterns that indicate that a client has adapted
    to the query interval.

This may or may not be possible to accomplish given the various demands 
on Verisign and ICANN, but it might actually glean real data.

Its also possible that the Active refresh process is just using data 
gleaned from normal queries in which case this pattern won't be seen.

AFAICT, the current values of  original TTL are 2 days, and the value of 
RRSigExpirationInterval is 14 days.  So queryInterval is MAX (1 hour, 
Min(15 day, 1day, 7 day)) or 1 day.  Retry interval is MAX (1 hr, min (1 
day, 4.8h, 33.6h)) or 4.8 hours.

So finding clients that mostly query the DNSKEY RRSet directly either on 
a 4.8 hour or 1 day basis might reveal some 5011 clients.

Mike







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20160725/0590331b/attachment.html>

More information about the ksk-rollover mailing list