[dns-operations] RFC 8145 section 5 queries hidden behind CZ.NIC public resolver

Petr Špaček petr.spacek at nic.cz
Thu Oct 5 17:19:19 UTC 2017 

Oh well, what a trivial mistake!

I'm now runnning
tcpdump -nn -tt -r ... | fgrep -i '_ta-' | fgrep -i -v dlv > ta.log
but it will take dozen hours or so to generate the new log, the PCAP is
about 0.5 TB big.

Stay tuned.

-- 
Petr Špaček  @  CZ.NIC

On 5.10.2017 19:04, Roy Arends wrote:
> use ‘—ignore-case’ or ‘-i’ with fgrep please
> 
> Roy
> 
>> On 5 Oct 2017, at 17:17, Petr Špaček <petr.spacek at nic.cz> wrote:
>>
>> Hello list,
>>
>> during ICANN Root KSK Roll Discussion at DNS-OARC 27 meeting there was
>> an idea to look into data from resolvers to see how many clients is
>> hidden behind a particular resolver.
>>
>> This motivated me to look into anonymized PCAPs from CZ.NICs public
>> resolver running at IPs 217.31.204.130 and 2001:1488:800:400::130 to see
>> how many clients with RFC 8145 support is hidden behind this resolver.
>>
>> It turns out that not very much, and that all captured RFC 8145 section
>> 5 queries contain *both* root key ids (old + new).
>>
>> Here are number of unique IP addresses querying in any given day.
>>
>> 2017-08-31	2
>> 2017-09-01	3
>> 2017-09-02	1
>> 2017-09-03	5
>> 2017-09-04	5
>> 2017-09-05	6
>> 2017-09-06	4
>> 2017-09-07	6
>> 2017-09-08	4
>> 2017-09-09	4
>> 2017-09-10	3
>> 2017-09-11	1
>> 2017-09-12	5
>> 2017-09-13	6
>> 2017-09-14	5
>> 2017-09-15	8
>> 2017-09-16	4
>> 2017-09-17	6
>> 2017-09-18	4
>> 2017-09-19	4
>> 2017-09-20	7
>> 2017-09-21	5
>> 2017-09-22	5
>> 2017-09-23	4
>> 2017-09-24	2
>> 2017-09-25	5
>> 2017-09-26	3
>> 2017-09-27	4
>> 2017-09-28	3
>> 2017-09-29	5
>> 2017-09-30	6
>>
>> To generate this, I used following command:
>> tcpdump -nn -tt -r pcap | fgrep '_ta-' | fgrep -v dlv > ta.csv
>>
>> For postprocesing I decided to use LibreOffice which made easy to
>> convert UNIX timestamps to readable dates and then group results by date.
>>
>> Hints:
>> =<TIMESTAMP>/86400+25569 will give you number which can be directly
>> formated as date
>>
>> I hope this will encourage other operators to look into their data and
>> publish results as well.
>>
>> -- 
>> Petr Špaček  @  CZ.NIC
>>
>> P.S. I told to few people privately that there were none such queries
>> behind the resolver. This statement was incorrect because of a mistake
>> in data processing.

More information about the dns-operations mailing list