[ksk-rollover] Increased DNSKEY queries to the root servers since the KSK-2010 revocation
Geoff Huston
gih at apnic.net
Tue Jan 15 23:53:20 UTC 2019
Does this have anything to do with the observation that A and J truncate large IPv6 UDP responses and the dual sigs cause a truncated response in IPv6 from root servers A and J which triggers a followup TCP query? (as do B, G and I).
(I also note that B and G truncates IPv4 UDP responses at 1280 octets as well (or they did last I looked)
Geoff
> On 16 Jan 2019, at 7:46 am, Wessels, Duane via ksk-rollover <ksk-rollover at icann.org> wrote:
>
> Paul,
>
> I can share a few details and what we're seeing for A & J root at Verisign. The attached graph shows the daily volume of ./IN/DNKSEY queries we received. There's an increase at the rollover and another at revocation. Pre-rollover we were at about 15M/day and now we're at 275M/day.
>
> We identified a few ASNs whose sources send high rates of DNSKEY queries and asked them if they could shed any light. One responded quickly that at least some of their sources were VMs running CentOS 6.7 and BIND 9.8.2. We didn't get any config files but I would bet good money that they're using trusted-keys.
>
> DW
>
>
>
>
>
> <rate-of-dot-dnskey-queries.png>_______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
More information about the ksk-rollover
mailing list