[ksk-rollover] Thoughts on 5011 compliance detection.
Michael StJohns
msj at nthpermutation.com
Mon Jul 25 19:57:44 UTC 2016
Hi -
A discussion on 5011 with Wes Hardaker got me thinking about ways of
detecting whether or not a client querying the root has 5011 support.
5011 has very definite timing recommendations for queries (section
2.3). I'm wondering if looking at the data sets for queries to the root
and the intervals between those queries might reveal the majority of
5011 capable clients?
So:
1. Determine the queryInterval and retryTime based on the formulas in
2.3 for the current DNSKEY RRSet.
2. Grab all the queries from all of the root servers that satisfy the
characteristic that they were for the DNSKEY RRSet and associated
RRSig only along with when they were received.
3. Consolidate them somewhere.
4. Sort and group by query address.
5. Determine the intervals between subsequent queries for each group.
6. Separate the intervals into retryTime periods, queryInterval time
periods and non-compliant periods (e.g. everything not within 5%
either way of the values calculated in step 1).
7. Score each client based on the proportions of query and retry vs
non-compliant periods.
8. Set aside the data sets showing > 20% non-compliance for later analysis.
9. Change one or more of the signature or TTL times in a way that
causes a change in the query and retry intervals.
10. Repeat 1-8 again and correlate the results against the first run
looking for query patterns that indicate that a client has adapted
to the query interval.
This may or may not be possible to accomplish given the various demands
on Verisign and ICANN, but it might actually glean real data.
Its also possible that the Active refresh process is just using data
gleaned from normal queries in which case this pattern won't be seen.
AFAICT, the current values of original TTL are 2 days, and the value of
RRSigExpirationInterval is 14 days. So queryInterval is MAX (1 hour,
Min(15 day, 1day, 7 day)) or 1 day. Retry interval is MAX (1 hr, min (1
day, 4.8h, 33.6h)) or 4.8 hours.
So finding clients that mostly query the DNSKEY RRSet directly either on
a 4.8 hour or 1 day basis might reveal some 5011 clients.
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20160725/0590331b/attachment.html>
More information about the ksk-rollover
mailing list