[dns-operations] A significant source of KSK2010 RFC8145 signals

Wes Hardaker wjhns1 at hardakers.net
Wed May 9 23:13:32 UTC 2018

I few weeks ago I did some large-data crunching and discovered that a
significant source of the KSK-2010-only RFC8145 signals were arriving at
the root servers from a one VPN providers software.  I immediately
reached out to the vendor, who promised to release fixes soon and I
expect over the next couple of months we'll see visible dents in the
RFC8145 data that ICANN has been gathering.  My estimation of how much
of the old-key data belonged to this particular problem looks to be
roughly (it's not exact science) 32% on the low end.  Potentially
higher, as the upper end isn't as easy to calculate.

Details of my analysis will come later in a longer write-up and will
likely be presented at future OARC and other meetings if I'm accepted as
a presenter.  In the mean time, cross your fingers for a high impact in
the near future :-)

Wes Hardaker

More information about the dns-operations mailing list