Daniel Karrenberg

DNS Clients Do Request DNSSEC Today

Daniel Karrenberg
3

After the DNS root zone was finally signed and a number of TLDs began signing their zones, we were curious to see how many clients actually request DNSSEC information. First we looked at our server that provides secondary service to several ccTLDs.


This server answers some 5000 queries per second on average. Here is the percentage of those queries that requested DNSSEC information in August 2010:

Figure 1: Queries with DNSSEC OK bit set

More than 50% of all queries request DNSSEC information from this server. This is quite encouraging. However, we do not know what the clients do with this information when they receive it.

We noticed a weekly pattern in the graph and investigated a little. Comparing this pattern to the query type looked promising:

Query type breakdown for August 2010

Figure 2: Queries by QType

 

It seems that the number of queries for mail servers (MX record queries) has a similar pattern. Looking at queries for MX records only confirms this:

Query type breakdown for August 2010

Figure 3: Queries for MX Records

 

On weekends we see relatively more queries for MX records and relatively fewer requests for DNSSEC information. Whether these MX queries are those that do not request DNSSEC information needs further investigation. However from my personal experience of receiving more SPAM during the weekend than during the week there certainly are a few hypotheses we could investigate here ....

Let us complete the picture with data from some other RIPE NCC servers. Queries arriving at servers for reverse DNS zones show a similar picture with a slightly different pattern:

Percentage of queries with DO bit at rDNS servers

Figure 4: Reverse DNS zone queries with DNSSEC OK bit set

Still about 50% of all queries request DNSSEC information but the patterns are reversed and not quite weekly. Interesting ...

Looking at k.root-servers.net the picture is a little less constant:

Percentage of queries at K-root with DO bit set

Figure 5: Queries with DNSSEC OK bit set as seen on k.root-servers.net

 

Again some weekly patterns and normally more than 50%. Root name servers receive more 'anomalous' queries than other servers, a phenomenon often referred to as 'junk'. These queries often arrive at a very high rate and constitute a large percentage of the total load. Consequently a few sources or types of junk queries can influence measurements like this in a big way. The three large dips in this graph, for example, are caused by a high volume of non-EDNS0 queries with a single source address.

In conclusion we can say that the servers we operate consistently receive requests for DNSSEC information with more than half of the queries they answer. That is encouraging.

 

 

3

You may also like

View more

About the author

Daniel Karrenberg Based in Western Europe, NL&DE mostly

>>>>>>>>>>>> https://www.ripe.net/about-us/press-centre/publications/speakers/daniel-karrenberg <<<<<<<<<<<< Ample information about his past sins can be found using your favourite search engine. Following are a few additional keywords you might use, arranged by decade: 1980s: GUUG EUUG EUnet unido mcvax cwi RARE iepg RIPE; 1990s: RIPE+NCC rir iana postel terena ebone centr k.root-servers.net; 2000s: dnsmon nsd ris internet+society rssac; 2010s: ripe+labs ripestat ripe+atlas

Comments 3