On Fri, Jun 15, 2018 at 6:44 AM Tony Finch <dot@dotat.at> wrote:
I've got what appears to be some end-user devices sending _ta-4a5c
queries. I'm tracking them down with:

        tcpdump -s0 -n -p -i any -vvv -X dst port 53 and \
                \( ip[0x28:4] == 0x085f7461 or ip6[0x3c:4] == 0x085f7461 \)

This expression looks for DNS query names that start with an 8 character
label beginning '_ta'. I thought this might be useful for others.

Tony.
--
f.anthony.n.finch  <dot@dotat.athttp://dotat.at/
Dover, Wight, Portland, Plymouth: West or southwest 3 or 4, increasing 5 or 6.
Slight or moderate. Showers later. Moderate or good.
_______________________________________________
ksk-rollover mailing list
ksk-rollover@icann.org
https://mm.icann.org/mailman/listinfo/ksk-rollover


I am seeing queries for "_ta-4a5c-4f66"
Are those the 'correct' KSK's?

-- 
Bob Harold