[dns-operations] Root DNSSEC deployment information: J root traffic graphs for week of 12 April

Florian Weimer fw at deneb.enyo.de
Sat Apr 17 20:51:54 UTC 2010

* Matt Larson:

> We'll continue to crunch numbers and keep the community informed.  As
> always, suggestions for analysis are welcome.  One active area of
> analysis right now (that was planned but reinforced by suggestions at
> IETF 77) is investigating the movement of source IP address from
> server to server, e.g., are more sources shifting to J now that only
> it remains unsigned?

It's now also fairly reliable to query non-security-aware resolvers
for ./IN/NSEC, ./IN/DNSKEY, ./IN/RRSIG.  If a resolver consistently
returns NODATA responses for them, it means that it's using the J
root.  (For security-aware resolvers, you can use labels with
non-existent TLDs, resulting in higher confidence.)

Of course, it's difficult to reach a representative sample of
resolvers because these queries are not easily reflected through
Javascript and similar technologies.  But if this can be addressed in
some way, this approach will provide more immediate data on DURZ vs
non-DURZ server selection.

More information about the dns-operations mailing list