Now publishing updated RFC8145 graphs and IP addresses of resolvers reporting
We wanted to let everyone know that we've updated the graphs of RFC 8145 data we're receiving. In addition, as of today, we've also started publishing the list of individual addresses that are sending RFC 8145 data indicating they are configured with only KSK-2010 as a trust anchor. See this page for more information about both the graphs and the list of addresses: http://root-trust-anchor-reports.research.icann.org While the graphs show an "up and to right" trend in the number of sources reporting only KSK-2010, Wes Hardaker has done some excellent research and found what he believes is the source for many of these queries; more details are on that page, as well. Matt
On May 15, 2018, at 12:57 PM, Matt Larson <matt.larson@icann.org> wrote:
We wanted to let everyone know that we've updated the graphs of RFC 8145 data we're receiving. In addition, as of today, we've also started publishing the list of individual addresses that are sending RFC 8145 data indicating they are configured with only KSK-2010 as a trust anchor. See this page for more information about both the graphs and the list of addresses:
https://urldefense.proofpoint.com/v2/url?u=http-3A__root-2Dtrust-2Danchor-2D...
While the graphs show an "up and to right" trend in the number of sources reporting only KSK-2010, Wes Hardaker has done some excellent research and found what he believes is the source for many of these queries; more details are on that page, as well.
As a follow-up: many of you indicated interest in investigating those addresses. Could you tell us (either this list, or ICANN folks in private) what you find as you dive in to the data? It would help us coordinate our efforts in the time between now and October 11. --Paul Hoffman
On 5/15/18 3:57 PM, Matt Larson wrote:
We wanted to let everyone know that we've updated the graphs of RFC 8145 data we're receiving. In addition, as of today, we've also started publishing the list of individual addresses that are sending RFC 8145 data indicating they are configured with only KSK-2010 as a trust anchor. See this page for more information about both the graphs and the list of addresses:
http://root-trust-anchor-reports.research.icann.org FWIW, it looks as though the list of addresses was last updated 20180525163524.
#Generated at 20180525163524 # # # # One person I pointed to this data wondered whether it would be possible to add a count of the number of KSK-2010 reports per address per day. The majority of the addresses listed for their ASN are the ISP recursives which are not validating. They are looking for a way to estimate the number of KSK-2010 only clients forwarding to them. Thanks -miles
On May 31, 2018, at 6:51 AM, Miles McCredie <mwm333@gmail.com> wrote:
On 5/15/18 3:57 PM, Matt Larson wrote:
We wanted to let everyone know that we've updated the graphs of RFC 8145 data we're receiving. In addition, as of today, we've also started publishing the list of individual addresses that are sending RFC 8145 data indicating they are configured with only KSK-2010 as a trust anchor. See this page for more information about both the graphs and the list of addresses:
http://root-trust-anchor-reports.research.icann.org FWIW, it looks as though the list of addresses was last updated 20180525163524. #Generated at 20180525163524 # # # #
Thanks for pointing this out, and it is now updated. (And we are now putting more verbosity in the daily cron job...)
One person I pointed to this data wondered whether it would be possible to add a count of the number of KSK-2010 reports per address per day. The majority of the addresses listed for their ASN are the ISP recursives which are not validating. They are looking for a way to estimate the number of KSK-2010 only clients forwarding to them.
Hrm. I don't think us giving that number will reflect reality, but let me look more. --Paul Hoffman
Following up to my message below from last month about ICANN's publishing the specific addresses indicating being configured with only KSK-2010 via RFC 8145-style key tag reporting: As you can see on the charts on http://root-trust-anchor-reports.research.icann.org, there is a strong downward trend in the percentage of servers reporting RFC 8145 data having only KSK-2010. We have heard from very few of you about what you found if you investigated the addresses networks for which you are responsible, and we would really like to get a feeling if that downward trend is due to your efforts or due to the resolvers that Wes Hardaker reported on May 9. Please let us know with a post to this list, or privately to me if you'd rather. Thanks, Matt On May 15, 2018, at 3:57 PM, Matt Larson <matt.larson@icann.org<mailto:matt.larson@icann.org>> wrote: We wanted to let everyone know that we've updated the graphs of RFC 8145 data we're receiving. In addition, as of today, we've also started publishing the list of individual addresses that are sending RFC 8145 data indicating they are configured with only KSK-2010 as a trust anchor. See this page for more information about both the graphs and the list of addresses: http://root-trust-anchor-reports.research.icann.org While the graphs show an "up and to right" trend in the number of sources reporting only KSK-2010, Wes Hardaker has done some excellent research and found what he believes is the source for many of these queries; more details are on that page, as well. Matt
Matt Larson <matt.larson@icann.org> writes:
we would really like to get a feeling if that downward trend is due to your efforts or due to the resolvers that Wes Hardaker reported on May 9.
I'm fairly sure that downward trend (which recently stopped) was the result of my outreach. I understand that in the next week other versions of that software will push out to the mobile markets and that may promote another dramatic (but short-in-time) drop. Once that levels off again the remaining problems will be unrelated. But as I mentioned previously: the issue I found was affecting a single user behind many single addresses. It was far from a complete comprehensive analysis of the entire space. In particular, what I worry most about is the addresses with more users behind them. IE, the number of addresses was greatly affected by my find, but that does not at all correspond to a direct relationship to the number of users (as we all know). So, IMHO, more analysis is still needed. -- Wes Hardaker USC/ISI
I've got what appears to be some end-user devices sending _ta-4a5c queries. I'm tracking them down with: tcpdump -s0 -n -p -i any -vvv -X dst port 53 and \ \( ip[0x28:4] == 0x085f7461 or ip6[0x3c:4] == 0x085f7461 \) This expression looks for DNS query names that start with an 8 character label beginning '_ta'. I thought this might be useful for others. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Dover, Wight, Portland, Plymouth: West or southwest 3 or 4, increasing 5 or 6. Slight or moderate. Showers later. Moderate or good.
On Fri, Jun 15, 2018 at 6:44 AM Tony Finch <dot@dotat.at> wrote:
I've got what appears to be some end-user devices sending _ta-4a5c queries. I'm tracking them down with:
tcpdump -s0 -n -p -i any -vvv -X dst port 53 and \ \( ip[0x28:4] == 0x085f7461 or ip6[0x3c:4] == 0x085f7461 \)
This expression looks for DNS query names that start with an 8 character label beginning '_ta'. I thought this might be useful for others.
Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Dover, Wight, Portland, Plymouth: West or southwest 3 or 4, increasing 5 or 6. Slight or moderate. Showers later. Moderate or good. _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
I am seeing queries for "_ta-4a5c-4f66" Are those the 'correct' KSK's? -- Bob Harold
participants (7)
-
Bob Harold -
Matt Larson -
Miles McCredie -
Paul Hoffman -
Roy Arends -
Tony Finch -
Wes Hardaker