[ksk-rollover] Post IETF - Determining 5011 Support Part 2

Michael StJohns mstjohns at comcast.net
Mon Nov 12 18:09:14 UTC 2018

5011 defines a very specific timing domain for (see section 2.3 of 
RFC5011) doing refresh of the trust point key RRSET and that active 
refresh is both mandatory and easily distinguished from normal dns cache 
timeout/requery intervals.  One possible way of identifying 5011 
resolvers would be to do timing analysis on the root server logs.


0) Time sync all of the roots.

1) Aggregate all the logs from all root servers for a 30 day period.

2) Sort by resolver IP and timestamp.  group by resolver IP.

3) For each resolver, calculate the inter-arrival interval times between 
queries and compare that to the predicted/configured 5011 values.  A 
5011 compliant resolver that's also caching should be querying the root 
about 1/2 the TTL of the dnskey RRSet.

Again, haven't tested this and implementers may have taken liberty with 
the refresh protocol, but its a place to start.  And yes, I know this is 
a massive data set to wander through....


More information about the ksk-rollover mailing list