[dns-operations] Mysteries of DNSSEC
Robert Edmonds
edmonds at mycre.ws
Sat Mar 30 18:23:04 UTC 2024
John Levine wrote:
> The first surprise I found is that once I turned it on, nearly every
> query, like 99%, asks for DNSSEC. Is this typical or do I have an odd
> set of clients?
If you mean the "DNSSEC OK" EDNS header flag, yeah, that's typical. I believe
RFC 3225 is the relevant reference.
> Another surprise is that I'm getting a lot of repeated DNSKEY queries
> even though the TTL is an hour. One repeat customer is Cloudflare,
> another is pfsense22.plan-gis.net, at some random company in Germany.
> My theories are A) a bunch of different caches behind a load balancer,
> B) a too small cache, C) buggy software.
Cloudflare specifically may have many DNS resolvers behind a single IP:
https://blog.cloudflare.com/cloudflare-servers-dont-own-ips-anymore
"With a port slice of say 2,048 ports, we can share one IP among 31 servers."
--
Robert Edmonds
More information about the dns-operations
mailing list