[dns-operations] Mysteries of DNSSEC
Joe Abley
jabley at strandkip.nl
Sat Mar 30 18:36:15 UTC 2024
On 30 Mar 2024, at 19:18, John Levine <johnl at taugh.com> wrote:
> The first surprise I found is that once I turned it on, nearly every
> query, like 99%, asks for DNSSEC. Is this typical or do I have an odd
> set of clients?
If you mean almost all queries had EDNS(0) and DO=1 then I think that's typical.
> Another surprise is that I'm getting a lot of repeated DNSKEY queries
> even though the TTL is an hour. One repeat customer is Cloudflare,
> another is pfsense22.plan-gis.net, at some random company in Germany.
> My theories are A) a bunch of different caches behind a load balancer,
> B) a too small cache, C) buggy software.
I am not very familiar with 1.1.1.1's internals, so I could guess but that doesn't seem very helpful. If you'd like an introduction to the people who run it I can make one.
Joe
More information about the dns-operations
mailing list