[dns-operations] signing a zone with NSEC3 records.
olaf at NLnetLabs.nl
Tue Sep 15 13:06:20 UTC 2009
On Sep 11, 2009, at 10:13 PM, David Conrad wrote:
>>> Only 30% of the queries reaching the root have DO=0 (and by
>>> implication any authority) at this point in time.
>> When I looked at this when working on RIPE352 (http://www.ripe.net/docs/ripe-352.html
>> see figure 2) this was not true.
> RIPE 352 was published 4 years ago, right? The 60-70% DO=1 stats
> are current as of about 5 minutes ago on the "L" root server. My
> guess would be that a lot of folks have upgraded their resolvers as
> a result of the stuff Kaminsky's published.
Sorry, possible misunderstanding.
I thought that when you said "and by implication any authority" that
you tried to imply that if the root servers are hit by X% of DO bit
traffic any other authoritative server is also hit by X% of DO bit
Based on that interpretation I argued that that was not observed and
that there may be servers that get more than X% of DO bit traffic. In
other words the traffic patterns (in terms of DO=1 percentages) will
differ based on the zones one serves.
That X raised from ca 30 to 60-70% doesn't surprise me.
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 235 bytes
Desc: This is a digitally signed message part
More information about the dns-operations