[dns-operations] signing a zone with NSEC3 records.

Olaf Kolkman olaf at NLnetLabs.nl
Tue Sep 15 13:06:20 UTC 2009

On Sep 11, 2009, at 10:13 PM, David Conrad wrote:

>>> Only 30% of the queries reaching the root have DO=0 (and by  
>>> implication any authority) at this point in time.
>> When I looked at this when working on RIPE352 (http://www.ripe.net/docs/ripe-352.html 
>>  see figure 2) this was not true.
> RIPE 352 was published 4 years ago, right?  The 60-70% DO=1 stats  
> are current as of about 5 minutes ago on the "L" root server.  My  
> guess would be that a lot of folks have upgraded their resolvers as  
> a result of the stuff Kaminsky's published.

Sorry, possible misunderstanding.

I thought that when you said "and by implication any authority" that  
you tried to imply that if the root servers are hit by X% of DO bit  
traffic any other authoritative server is also hit by X% of DO bit  

Based on that interpretation I argued that that was not observed and  
that there may be servers that get more than X% of DO bit traffic. In  
other words the traffic patterns (in terms of DO=1 percentages) will  
differ based on the zones one serves.

That X raised from ca 30 to 60-70% doesn't surprise me.



Olaf M. Kolkman                        NLnet Labs
                                        Science Park 140,
http://www.nlnetlabs.nl/               1098 XG Amsterdam

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090915/d3ab7bad/attachment.sig>

More information about the dns-operations mailing list