[ksk-rollover] DNSKEY queries, was Re: followup of DNSSEC Workshop at ICANN64
Tony Finch
dot at dotat.at
Mon Mar 18 17:15:12 UTC 2019
Warren Kumari <warren at kumari.net> wrote:
> but, I think that we first need to figure out what the cause of the
> increase in DNSKEY lookups is - it concerns me that we predicted no
> impact from the revocation, and we got... this.
Following this comment I had a quick tcpdump on my resolvers to see if
there was anything doing stupid quantities of . IN DNSKEY queries. There
is one firewall that is relatively busy (I dunno what is behind it), but
what surprised me was the volume of queries from our wireless networks.
I had thought that end-user sub validation was negligible, but it seems to
be relatively common.
We typically have about 30k devices associated on our wireless network, so
I would expect very roughly 2*86400/30000 = 6 seconds between queries if
everyone is validating. Eyeballing it, I'm seeing maybe 10s between
queries.
Maaybe Windows-related? I don't have any easy way to investigate further.
Of course my resolvers will be absorbing this traffic so the roots won't
see it. But I thought it might be of interest.
$ tcpdump -s0 -vvv -p -i eno1 udp and dst port 53 and udp[20] == 0 and udp[21] == 0 and udp[22] == 48
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
fight poverty, oppression, hunger, ignorance, disease, and aggression
More information about the ksk-rollover
mailing list