[dns-operations] signing a zone with NSEC3 records.

Olaf Kolkman olaf at NLnetLabs.nl
Fri Sep 11 19:32:21 UTC 2009


On Sep 11, 2009, at 6:49 PM, David Conrad wrote:

>
> Only 30% of the queries reaching the root have DO=0 (and by  
> implication any authority) at this point in time.



When I looked at this when working on RIPE352 (http://www.ripe.net/docs/ripe-352.html 
  see figure 2) this was not true.

The server that was at that time authoritative for a bunch of reverse  
address domains (X.arpa where X were the /8s allocated to the NCC) I  
measured much higher fractions of DO queries to those machines.

My thesis (never tried to proof it) was that machines that do reverse  
queries are more typically part of network infrastructure (like MTAs)  
they are a little bit more likely to live in a Unix and hence BIND  
dominated environment.



--Olaf




________________________________________________________

Olaf M. Kolkman                        NLnet Labs
                                        Science Park 140,
http://www.nlnetlabs.nl/               1098 XG Amsterdam

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090911/17fbf7ab/attachment.sig>


More information about the dns-operations mailing list