[dns-operations] A significant source of KSK2010 RFC8145 signals
Keith Mitchell
keith at dns-oarc.net
Thu May 10 14:20:15 UTC 2018
On 05/09/2018 07:13 PM, Wes Hardaker wrote:
>
> I few weeks ago I did some large-data crunching and discovered that
> a significant source of the KSK-2010-only RFC8145 signals were
> arriving at the root servers from a one VPN providers software. I
> immediately reached out to the vendor, who promised to release fixes
> soon and I expect over the next couple of months we'll see visible
> dents in the RFC8145 data that ICANN has been gathering. My
> estimation of how much of the old-key data belonged to this
> particular problem looks to be roughly (it's not exact science) 32%
> on the low end. Potentially higher, as the upper end isn't as easy
> to calculate.
>
> Details of my analysis will come later in a longer write-up and will
> likely be presented at future OARC and other meetings if I'm accepted
> as a presenter. In the mean time, cross your fingers for a high
> impact in the near future :-)
Excellent work :-) I for one look forward to hearing more about this.
There's probably also a meta-lesson here on the growing prevalence of
VPN usage and consequent considerations for DNS infrastructure
deployment....
Keith
More information about the dns-operations
mailing list