Does this have anything to do with the observation that A and J truncate large IPv6 UDP responses and the dual sigs cause a truncated response in IPv6 from root servers A and J which triggers a followup TCP query? (as do B, G and I). (I also note that B and G truncates IPv4 UDP responses at 1280 octets as well (or they did last I looked) Geoff
On 16 Jan 2019, at 7:46 am, Wessels, Duane via ksk-rollover <ksk-rollover@icann.org> wrote:
Paul,
I can share a few details and what we're seeing for A & J root at Verisign. The attached graph shows the daily volume of ./IN/DNKSEY queries we received. There's an increase at the rollover and another at revocation. Pre-rollover we were at about 15M/day and now we're at 275M/day.
We identified a few ASNs whose sources send high rates of DNSKEY queries and asked them if they could shed any light. One responded quickly that at least some of their sources were VMs running CentOS 6.7 and BIND 9.8.2. We didn't get any config files but I would bet good money that they're using trusted-keys.
DW
<rate-of-dot-dnskey-queries.png>_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover