Thank you Fujiwara-san for doing some repeatable research! It's been over 10 years since your valuable efforts. Perhaps time to redo that with higher fidelity data from all the RSO's? Better yet including data from the global public resolvers? I note that my observation of NSEC3, for the explicit denial of non-existence, has changed the traffic profile of DNS traffic to the RSS, at one point it was grater than 80% of the qry rate. Seems now it may be less than 50%. So the system is evolving. I also note (and i think i agree with you) that using probes to send queries directly to root servers is misaligned with the resolution process, hence the fidelity of results is far less than ideal. Getting data directly from the resolvers would (with lofty expectations) the gold standard. Cheers, Terry -- Mobile device, don't expect grammar.
On 15 Oct 2024, at 2:30 PM, Kazunori Fujiwara <fujiwara@jprs.co.jp> wrote:
Terry-san,
Has there been any studies done to analyse the number of resolvers taking to the RSS (with query volumes) that do or do not ask for DNSKEY?? (google scholar didn't find anything of note)
We have DITL dataset. However, IP address anonymization makes estimation difficult.
I did such research in 2010-2013.
- Increase of probable DNSSEC Validations and DNSSEC side effect, 28 July 2013, IEPG Meeting, Berlin, Germany.
http://www.iepg.org/2013-07-ietf87/4%20-%20IEPG-201307-fujiwara-02.pdf
- Analysis of DITL root data and comparison with jp data , 6 Oct., 2013, DNS-OARC Fall 2013 Workshop, Phoenix, AZ, US.
https://indico.dns-oarc.net//getFile.py/access?contribId=1&resId=0&materialI...
Would that not be the categorical definition of DNSSEC validation? Especially in regards to the root server system?
Since many measurement probes send similar queries to root-servers as DNSSEC validators, it may be difficult to accurately determine the number of DNSSEC validators.
-- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>