[dns-operations] A significant source of KSK2010 RFC8145 signals

Keith Mitchell keith at dns-oarc.net
Thu May 10 14:20:15 UTC 2018

On 05/09/2018 07:13 PM, Wes Hardaker wrote:
> I few weeks ago I did some large-data crunching and discovered that
> a significant source of the KSK-2010-only RFC8145 signals were
> arriving at the root servers from a one VPN providers software.  I
> immediately reached out to the vendor, who promised to release fixes
> soon and I expect over the next couple of months we'll see visible
> dents in the RFC8145 data that ICANN has been gathering.  My
> estimation of how much of the old-key data belonged to this
> particular problem looks to be roughly (it's not exact science) 32%
> on the low end.  Potentially higher, as the upper end isn't as easy
> to calculate.
> Details of my analysis will come later in a longer write-up and will 
> likely be presented at future OARC and other meetings if I'm accepted
> as a presenter.  In the mean time, cross your fingers for a high
> impact in the near future :-)

Excellent work :-) I for one look forward to hearing more about this.

There's probably also a meta-lesson here on the growing prevalence of
VPN usage and consequent considerations for DNS infrastructure


More information about the dns-operations mailing list