By establishing a process to identity the pairing of the volume of non-existent labels and the origins now, we can then compare that with the post-deployment state. It would possibly only make sense if the measurement included ISPs agreeing to some kind of view into their query state, which might mean passiveDNS collections had a role. Done the right way, that would capture both the NSEC responses going down stream, and the existence of the queries coming upstream. (sampling is of course another method, I believe thats one altready under consideration for a collection exercise at some of the root labels) I would expect to see any of three major groupings of outcome: 1) the DNS resolvers of high significance (number of queries) who display a marked fall in queries for undelegated domains 2) an alteration in the distribution of domains being queried for, which somehow cut through the NSEC cached state. Why would that happen? I am assuming that some level of supression of the cache state (side effect of CD?) or bad configuration, or maybe a DVE class outcome? Might this be a signal of nefarious intent, resolvers who sent queries which should have been NSEC witheld but somehow come through? 3) "it didn't work" -no significant alteration in the amount of non-existing TLD query, suggesting whatever effect the RFC had, it didn't achieve what people hoped. If there was a sample exercise, then by having a baseline at all roots, an estimation of overall global effect might be more realistic because for the specific roots, we get the sample-indicated % drop, and by the pre-state measurement across the system as a whole, we can derive the total population outcome. Arguably, the requirement for passive DNS makes this "not* a 'only the root can answer this' type question. so by my own chosen arbiter of a good kind of experiment in the rssac-caucus, this might not be one! -G On Sun, Mar 26, 2017 at 10:19 PM, Paul Hoffman <paul.hoffman@icann.org> wrote:
On Mar 26, 2017, at 7:19 PM, George Michaelson <ggm@algebras.org> wrote:
I would like to propose a study in rssac-caucus to collect information about the effects of the deployment of aggressive NSEC response, on the volume of query at the root.
The work is late stage in DNSOP and I would expect to go to last-call and publication. This means that we can also expect deployment soon after, or even proceeding publication.
DITL style infrequent capture would be useful but its possible a less costly mechanism to construct a measurement exists: I am unsure if the current RSAC002 captures this, certainly the RCODE-VOLUME measure would provide it in aggregate, but because it's dissociated from the resolver its hard to do any more qualified analysis except to say 'it dropped'.
Because the change would herald a shift in the volume of undelegated (bogus) queries to the root and also reduce pressure in the known bad cases like .local, it has impacts on other policy questions under the oversight of the ICANN. It goes to that borderline between operations, and zone content.
Can you be more specific about "collect information about"? I don't see how we can collect information about queries that are not being sent, but it is quite possible I'm not being creative enough.
--Paul