[rssac-caucus] aggressive NXDOMAIN in pDNS, and its effect on traffic to the root

[George Michaelson]

By establishing a process to identity the pairing of the volume of
non-existent labels and the origins now, we can then compare that with
the post-deployment state. It would possibly only make sense if the
measurement included ISPs agreeing to some kind of view into their
query state, which might mean passiveDNS collections had a role. Done
the right way, that would capture both the NSEC responses going down
stream, and the existence of the queries coming upstream. (sampling is
of course another method, I believe thats one altready under
consideration for a collection exercise at some of the root labels)

I would expect to see any of  three major groupings of outcome:

1) the DNS resolvers of high significance (number of queries) who
display a marked fall in queries for undelegated domains

2) an alteration in the distribution of domains being queried for,
which somehow cut through the NSEC cached state. Why would that
happen? I am assuming that some level of supression of the cache state
(side effect of CD?) or bad configuration, or maybe a DVE class
outcome? Might this be a signal of nefarious intent, resolvers who
sent queries which should have been NSEC witheld but somehow come
through?

3) "it didn't work" -no significant alteration in the amount of
non-existing TLD query, suggesting whatever effect the RFC had, it
didn't achieve what people hoped.

If there was a sample exercise, then by having a baseline at all
roots, an estimation of overall global effect might be more realistic
because for the specific roots, we get the sample-indicated % drop,
and by the pre-state measurement across the system as a whole, we can
derive the total population outcome.

Arguably, the requirement for passive DNS makes this "not* a 'only the
root can answer this' type question. so by my own chosen arbiter of a
good kind of experiment in the rssac-caucus, this might not be one!

-G



On Sun, Mar 26, 2017 at 10:19 PM, Paul Hoffman <paul.hoffman at icann.org> wrote:
> On Mar 26, 2017, at 7:19 PM, George Michaelson <ggm at algebras.org> wrote:
>> I would like to propose a study in rssac-caucus to collect information
>> about the effects of the deployment of aggressive NSEC response, on
>> the volume of query at the root.
>>
>> The work is late stage in DNSOP and I would expect to go to last-call
>> and publication. This means that we can also expect deployment soon
>> after, or even proceeding publication.
>>
>> DITL style infrequent capture would be useful but its possible a less
>> costly mechanism to construct a measurement exists: I am unsure if the
>> current RSAC002 captures this, certainly the RCODE-VOLUME measure
>> would provide it in aggregate, but because it's dissociated from the
>> resolver its hard to do any more qualified analysis except to say 'it
>> dropped'.
>>
>> Because the change would herald a shift in the volume of undelegated
>> (bogus) queries to the root and also reduce pressure in the known bad
>> cases like .local, it has impacts on other policy questions under the
>> oversight of the ICANN. It goes to that borderline between operations,
>> and zone content.
>
> Can you be more specific about "collect information about"? I don't see how we can collect information about queries that are not being sent, but it is quite possible I'm not being creative enough.
>
> --Paul