Matthäus Wander wrote on 18/06/2012 15:30:
Hi,
Am 12.06.2012 15:58, schrieb Andrei Robachevsky:
Assuming these are all valid queries (i.e. not belonging to the 98% of malformed queries root servers usually get), what fraction of the total valid queries does this constitute?
Would the actual DNSSEC penetration rate be different from this number (e.g. due to possible differences in caching, etc.)?
A validating resolver should query the root DNSKEY about once per day (TTL/2) and a non-validating resolver not at all. With 1 q/s this would make an estimate of at most 86k validating resolvers for K, minus extra or malformed queries. The fraction of malformed queries is probably not that large as validation seems to be disabled by default on most systems (one must willfully enable validation without noticing that resolution is broken).
This number is a nice validation indicator but does not say anything about the actual number of DNSSEC-enabled queries. The number of queries with the DNSSEC OK flag set [1] is neither suitable, as it indicates all DNSSEC-capable resolvers, not just the DNSSEC-enabled ones.
Right. There was an interesting paper at SATIN 2011 (http://conferences.npl.co.uk/satin/papers/satin2011-Gudmundsson.pdf) by Ólafur Gudmundsson and Steve Crocker, outlining a methodology for determining dnssec deployment, if RIPE NCC have interest and resources for more data mining. Andrei