[dns-operations] Mysteries of DNSSEC

Joe Abley jabley at strandkip.nl
Sat Mar 30 18:36:15 UTC 2024

On 30 Mar 2024, at 19:18, John Levine <johnl at taugh.com> wrote:

> The first surprise I found is that once I turned it on, nearly every
> query, like 99%, asks for DNSSEC. Is this typical or do I have an odd
> set of clients?

If you mean almost all queries had EDNS(0) and DO=1 then I think that's typical.

> Another surprise is that I'm getting a lot of repeated DNSKEY queries
> even though the TTL is an hour. One repeat customer is Cloudflare,
> another is pfsense22.plan-gis.net, at some random company in Germany.
> My theories are A) a bunch of different caches behind a load balancer,
> B) a too small cache, C) buggy software.

I am not very familiar with's internals, so I could guess but that doesn't seem very helpful. If you'd like an introduction to the people who run it I can make one. 


More information about the dns-operations mailing list