[ksk-rollover] Increased DNSKEY queries to the root servers since the KSK-2010 revocation

Wessels, Duane dwessels at verisign.com
Tue Jan 15 20:46:54 UTC 2019


I can share a few details and what we're seeing for A & J root at Verisign.    The attached graph shows the daily volume of ./IN/DNKSEY queries we received.  There's an increase at the rollover and another at revocation.  Pre-rollover we were at about 15M/day and now we're at 275M/day.  

We identified a few ASNs whose sources send high rates of DNSKEY queries and asked them if they could shed any light.  One responded quickly that at least some of their sources were VMs running CentOS 6.7 and BIND 9.8.2.  We didn't get any config files but I would bet good money that they're using trusted-keys.  


-------------- next part --------------
A non-text attachment was scrubbed...
Name: rate-of-dot-dnskey-queries.png
Type: image/png
Size: 52846 bytes
Desc: rate-of-dot-dnskey-queries.png
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190115/8c06474c/rate-of-dot-dnskey-queries-0001.png>

More information about the ksk-rollover mailing list