[ksk-rollover] [Ext] Re: Starting discussion on acceptable criteria for proceeding with the root KSK roll

S Moonesamy sm+icann at elandsys.com
Mon Jan 8 17:18:12 UTC 2018

Hi Geoff,
At 11:22 PM 07-01-2018, Geoff Huston wrote:
>Its not as simple as this - users typically are configured with a 
>number of DNS resolvers (2 is most common) and when the first 
>resolver does not answer or returns SERVFAIL then they try the 
>second, and so on.
>What APNIC publishes at  https://stats.labs.apnic.net/dnssec is 2 numbers:
>a) DNSSEC Validate - ALL the resolvers that are called by the user's 
>DNS perform DNSSEC validation, and the user will not resolve a DNS 
>name when that name is signed, but the signature cannot be validated
>b) Uses Google's Public DNS data service - the count of users that 
>will call Google's service to resolve a name, but may also call 
>other resolvers if the response from the Google resolver is SERVFAIL

Thank you for explaining the above.

>I think you are after a number that is the number of users that use 
>Google's Public DNS service and no other resolver. We do not publish 
>that number as we don't calculate it from the raw data.
>Or perhaps you are after the number of users that exclusive use 
>DNSSEC-validating resolvers, one of which is Google's validation 
>service. Again, we do not publish that number as we don't calculate 
>it from the raw data.

It was the second option (use DNSSEC-validing resolovers).

S. Moonesamy 

More information about the ksk-rollover mailing list