[dns-operations] Mysteries of DNSSEC

Robert Edmonds edmonds at mycre.ws
Sat Mar 30 18:23:04 UTC 2024

John Levine wrote:
> The first surprise I found is that once I turned it on, nearly every
> query, like 99%, asks for DNSSEC. Is this typical or do I have an odd
> set of clients?

If you mean the "DNSSEC OK" EDNS header flag, yeah, that's typical. I believe
RFC 3225 is the relevant reference.

> Another surprise is that I'm getting a lot of repeated DNSKEY queries
> even though the TTL is an hour. One repeat customer is Cloudflare,
> another is pfsense22.plan-gis.net, at some random company in Germany.
> My theories are A) a bunch of different caches behind a load balancer,
> B) a too small cache, C) buggy software.

Cloudflare specifically may have many DNS resolvers behind a single IP:


"With a port slice of say 2,048 ports, we can share one IP among 31 servers."

Robert Edmonds

More information about the dns-operations mailing list