[ksk-rollover] Post IETF - Determining 5011 Support Part 2
Michael StJohns
mstjohns at comcast.net
Mon Nov 12 18:09:14 UTC 2018
5011 defines a very specific timing domain for (see section 2.3 of
RFC5011) doing refresh of the trust point key RRSET and that active
refresh is both mandatory and easily distinguished from normal dns cache
timeout/requery intervals. One possible way of identifying 5011
resolvers would be to do timing analysis on the root server logs.
Specifically:
0) Time sync all of the roots.
1) Aggregate all the logs from all root servers for a 30 day period.
2) Sort by resolver IP and timestamp. group by resolver IP.
3) For each resolver, calculate the inter-arrival interval times between
queries and compare that to the predicted/configured 5011 values. A
5011 compliant resolver that's also caching should be querying the root
about 1/2 the TTL of the dnskey RRSet.
Again, haven't tested this and implementers may have taken liberty with
the refresh protocol, but its a place to start. And yes, I know this is
a massive data set to wander through....
Mike
More information about the ksk-rollover
mailing list