[ksk-rollover] [Ext] Re: Starting discussion on acceptable criteria for proceeding with the root KSK roll
S Moonesamy
sm+icann at elandsys.com
Mon Jan 8 17:18:12 UTC 2018
Hi Geoff,
At 11:22 PM 07-01-2018, Geoff Huston wrote:
>Its not as simple as this - users typically are configured with a
>number of DNS resolvers (2 is most common) and when the first
>resolver does not answer or returns SERVFAIL then they try the
>second, and so on.
>
>What APNIC publishes at https://stats.labs.apnic.net/dnssec is 2 numbers:
>
>a) DNSSEC Validate - ALL the resolvers that are called by the user's
>DNS perform DNSSEC validation, and the user will not resolve a DNS
>name when that name is signed, but the signature cannot be validated
>
>b) Uses Google's Public DNS data service - the count of users that
>will call Google's service to resolve a name, but may also call
>other resolvers if the response from the Google resolver is SERVFAIL
Thank you for explaining the above.
>I think you are after a number that is the number of users that use
>Google's Public DNS service and no other resolver. We do not publish
>that number as we don't calculate it from the raw data.
>
>Or perhaps you are after the number of users that exclusive use
>DNSSEC-validating resolvers, one of which is Google's validation
>service. Again, we do not publish that number as we don't calculate
>it from the raw data.
It was the second option (use DNSSEC-validing resolovers).
Regards,
S. Moonesamy
More information about the ksk-rollover
mailing list