[ksk-rollover] DNSKEY queries, was Re: followup of DNSSEC Workshop at ICANN64

Tony Finch dot at dotat.at
Mon Mar 18 17:15:12 UTC 2019

Warren Kumari <warren at kumari.net> wrote:

> but, I think that we first need to figure out what the cause of the
> increase in DNSKEY lookups is - it concerns me that we predicted no
> impact from the revocation, and we got... this.

Following this comment I had a quick tcpdump on my resolvers to see if
there was anything doing stupid quantities of . IN DNSKEY queries. There
is one firewall that is relatively busy (I dunno what is behind it), but
what surprised me was the volume of queries from our wireless networks.

I had thought that end-user sub validation was negligible, but it seems to
be relatively common.

We typically have about 30k devices associated on our wireless network, so
I would expect very roughly 2*86400/30000 = 6 seconds between queries if
everyone is validating. Eyeballing it, I'm seeing maybe 10s between

Maaybe Windows-related? I don't have any easy way to investigate further.

Of course my resolvers will be absorbing this traffic so the roots won't
see it. But I thought it might be of interest.

$ tcpdump -s0 -vvv -p -i eno1 udp and dst port 53 and udp[20] == 0 and udp[21] == 0 and udp[22] == 48

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
fight poverty, oppression, hunger, ignorance, disease, and aggression

More information about the ksk-rollover mailing list