its the APNIC Ad-based measurement system. (https://www.potaroo.net/ispcol/2023-10/measure-dnssec.html). In this case I'm looking at the query profile seen at the authoritative servers for an unsigned domain name. Geoff
On 22 Oct 2024, at 5:40 PM, Terry Manderson <terry@terrym.net> wrote:
Thanks Geoff,
This is based on some sampling constructs, yes? Can you point me to your methodology? I couldn't see it on the links provided.
Thanks! T.
On 16 Oct 2024, at 5:57 AM, Geoff Huston <gih@apnic.net> wrote:
On 15 Oct 2024, at 2:19 PM, Paul Ebersman via rssac-caucus <rssac-caucus@icann.org> wrote:
terry> That is a correct interpretation of the DO bit. I haven't looked terry> at the APNIC stats, but will do so later ... However if that is terry> the case, one would ask "WHY" are so many resolvers are asking terry> for DNSSEC responses and doing nothing with them? Again, root terry> cause analysis!
stub OS resolvers like microsoft have been setting DO bit for decades and the resolvers above them pass that on. doesn't mean they use the signatures, etc.
some data...
some 42% of users sit behind a collection of recursive resolvers _SOME_ of which perform DNSSEC validation some 34% of users sit behind a collection of recursive resolvers _ALL_ of which perform DNSSEC validation
(https://stats.labs.apnic.net/dnssec/XA)
in one day (14 October) we observed 0.49% of users sit behind a recursive resolver that does NOT use EDNS(0). Some 92.6% of users have the DNSSEC_OK bit set in their queries
If we just look at recursive resolvers, and not weight the results by query volume, 2.16% of resolvers do not do EDNS(0) and some 92.58% use the DNSSEC_OK bit set in their queries.
Geoff