<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi -</p>
<p>A discussion on 5011 with Wes Hardaker got me thinking about ways
of detecting whether or not a client querying the root has 5011
support.</p>
<p>5011 has very definite timing recommendations for queries
(section 2.3). I'm wondering if looking at the data sets for
queries to the root and the intervals between those queries might
reveal the majority of 5011 capable clients?</p>
<p>So:</p>
<ol>
<li>Determine the queryInterval and retryTime based on the
formulas in 2.3 for the current DNSKEY RRSet.<br>
</li>
<li>Grab all the queries from all of the root servers that satisfy
the characteristic that they were for the DNSKEY RRSet and
associated RRSig only along with when they were received.<br>
</li>
<li>Consolidate them somewhere.</li>
<li>Sort and group by query address.</li>
<li>Determine the intervals between subsequent queries for each
group.</li>
<li>Separate the intervals into retryTime periods, queryInterval
time periods and non-compliant periods (e.g. everything not
within 5% either way of the values calculated in step 1).</li>
<li>Score each client based on the proportions of query and retry
vs non-compliant periods.</li>
<li>Set aside the data sets showing > 20% non-compliance for
later analysis.</li>
<li>Change one or more of the signature or TTL times in a way that
causes a change in the query and retry intervals.</li>
<li>Repeat 1-8 again and correlate the results against the first
run looking for query patterns that indicate that a client has
adapted to the query interval.</li>
</ol>
<p>This may or may not be possible to accomplish given the various
demands on Verisign and ICANN, but it might actually glean real
data.</p>
<p>Its also possible that the Active refresh process is just using
data gleaned from normal queries in which case this pattern won't
be seen.<br>
</p>
<p>AFAICT, the current values of original TTL are 2 days, and the
value of RRSigExpirationInterval is 14 days. So queryInterval is
MAX (1 hour, Min(15 day, 1day, 7 day)) or 1 day. Retry interval
is MAX (1 hr, min (1 day, 4.8h, 33.6h)) or 4.8 hours.</p>
<p>So finding clients that mostly query the DNSKEY RRSet directly
either on a 4.8 hour or 1 day basis might reveal some 5011
clients. <br>
</p>
<p>Mike</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
</body>
</html>