[dns-operations] signing a zone with NSEC3 records.
Olaf Kolkman
olaf at NLnetLabs.nl
Fri Sep 11 19:32:21 UTC 2009
On Sep 11, 2009, at 6:49 PM, David Conrad wrote:
>
> Only 30% of the queries reaching the root have DO=0 (and by
> implication any authority) at this point in time.
When I looked at this when working on RIPE352 (http://www.ripe.net/docs/ripe-352.html
see figure 2) this was not true.
The server that was at that time authoritative for a bunch of reverse
address domains (X.arpa where X were the /8s allocated to the NCC) I
measured much higher fractions of DO queries to those machines.
My thesis (never tried to proof it) was that machines that do reverse
queries are more typically part of network infrastructure (like MTAs)
they are a little bit more likely to live in a Unix and hence BIND
dominated environment.
--Olaf
________________________________________________________
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090911/17fbf7ab/attachment.sig>
More information about the dns-operations
mailing list