[dns-operations] DNS Traffic Archive Protocol

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Dec 8 09:16:30 UTC 2010

"relevant" is relative, because you never know what you will
investigate later. For instance, "remove details of lower network
layers (store all data in the same way regardless of IP version or
transport protocol)" will prevent you to do statistics as simple as
"percentage of requests over IPv6". Yes, I noticed your current format
keeps the IP version but, for instance, when storing EDNS, you keep
only the payload size so you cannot track the deployment of new
techniques like EDNS-ping.

"one of the most important design goals is the space efficiency of the
format" Our own experience with DNSmezzo <http://www.dnsmezzo.net/>
seems to indicate that query time is also a big limit (what's the
point of storing data if you don't query it?)  and compression may
endanger it.

"RR class" unlike what I wrote earlier, I believe you can safely save
two bytes here :-)

