Hi -

A discussion on 5011 with Wes Hardaker got me thinking about ways of detecting whether or not a client querying the root has 5011 support.

5011 has very definite timing recommendations for queries (section 2.3).  I'm wondering if looking at the data sets for queries to the root and the intervals between those queries might reveal the majority of 5011 capable clients?

So:

  1. Determine the queryInterval and retryTime based on the formulas in 2.3 for the current DNSKEY RRSet.
  2. Grab all the queries from all of the root servers that satisfy the characteristic that they were for the DNSKEY RRSet and associated RRSig only along with when they were received.
  3. Consolidate them somewhere.
  4. Sort and group by query address.
  5. Determine the intervals between subsequent queries for each group.
  6. Separate the intervals into retryTime periods, queryInterval time periods and non-compliant periods (e.g. everything not within 5% either way of the values calculated in step 1).
  7. Score each client based on the proportions of query and retry vs non-compliant periods.
  8. Set aside the data sets showing > 20% non-compliance for later analysis.
  9. Change one or more of the signature or TTL times in a way that causes a change in the query and retry intervals.
  10. Repeat 1-8 again and correlate the results against the first run looking for query patterns that indicate that a client has adapted to the query interval.

This may or may not be possible to accomplish given the various demands on Verisign and ICANN, but it might actually glean real data.

Its also possible that the Active refresh process is just using data gleaned from normal queries in which case this pattern won't be seen.

AFAICT, the current values of  original TTL are 2 days, and the value of RRSigExpirationInterval is 14 days.  So queryInterval is MAX (1 hour, Min(15 day, 1day, 7 day)) or 1 day.  Retry interval is MAX (1 hr, min (1 day, 4.8h, 33.6h)) or 4.8 hours.

So finding clients that mostly query the DNSKEY RRSet directly either on a 4.8 hour or 1 day basis might reveal some 5011 clients. 

Mike