Warren Kumari <warren@kumari.net> wrote:
but, I think that we first need to figure out what the cause of the increase in DNSKEY lookups is - it concerns me that we predicted no impact from the revocation, and we got... this.
Following this comment I had a quick tcpdump on my resolvers to see if there was anything doing stupid quantities of . IN DNSKEY queries. There is one firewall that is relatively busy (I dunno what is behind it), but what surprised me was the volume of queries from our wireless networks. I had thought that end-user sub validation was negligible, but it seems to be relatively common. We typically have about 30k devices associated on our wireless network, so I would expect very roughly 2*86400/30000 = 6 seconds between queries if everyone is validating. Eyeballing it, I'm seeing maybe 10s between queries. Maaybe Windows-related? I don't have any easy way to investigate further. Of course my resolvers will be absorbing this traffic so the roots won't see it. But I thought it might be of interest. $ tcpdump -s0 -vvv -p -i eno1 udp and dst port 53 and udp[20] == 0 and udp[21] == 0 and udp[22] == 48 Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ fight poverty, oppression, hunger, ignorance, disease, and aggression