[ksk-rollover] [Ext] Re: Starting discussion on acceptable criteria for proceeding with the root KSK roll

Geoff Huston gih at apnic.net
Mon Jan 8 07:22:30 UTC 2018

> On 8 Jan 2018, at 5:46 pm, S Moonesamy <sm+icann at elandsys.com> wrote:
> Hi Geoff,
> At 04:16 PM 07-01-2018, Geoff Huston wrote:
>> I have to interject that what you have reported here is NOT not a correct interpretation of the data published by APNIC.
> Thank you for the above.  Is there an estimate of the usage of Google Public DNS as a percentage of DNSSEC validation worldwide?

Its not as simple as this - users typically are configured with a number of DNS resolvers (2 is most common) and when the first resolver does not answer or returns SERVFAIL then they try the second, and so on.

What APNIC publishes at  https://stats.labs.apnic.net/dnssec is 2 numbers:

a) DNSSEC Validate - ALL the resolvers that are called by the user’s DNS perform DNSSEC validation, and the user will not resolve a DNS name when that name is signed, but the signature cannot be validated

b) Uses Google’s Public DNS data service - the count of users that will call Google’s service to resolve a name, but may also call other resolvers if the response from the Google resolver is SERVFAIL

I think you are after a number that is the number of users that use Google’s Public DNS service and no other resolver. We do not publish that number as we don’t calculate it from the raw data.

Or perhaps you are after the number of users that exclusive use DNSSEC-validating resolvers, one of which is Google’s validation service. Again, we do not publish that number as we don’t calculate it from the raw data.



More information about the ksk-rollover mailing list