On Monday, February 1, 2010, DNS-OARC organized a few presentations at the start of the 2nd Global Annual Symposium on DNS Security, Stability and Resiliency

Presentations and Notes

13:15: Introduction to DNS-OARC Roy Arends / DNS-OARC

 

13:25: Investigating anomalous DNS traffic: A proposal for an address reputation system Sebastian Castro / .NZ Registry Services

Q&A Willingness of operators to cooperate?

In case you haven't heard, L.ROOT-SERVERS.NET began serving a DNSSEC-signed root zone today. DNS-OARC has been collecting data during the signed root rollout. The graph below shows how L-root's priming response size has increased during the last hour since it first began serving signed responses:

We're also watching the data below to see if there are noticeable increases in priming query rates after signing:

Last week someone asked me if the DITL 2009 data could shed any light on the amount of queries sent to TLDs with wildcards. While we do have data from a few TLD operators, it wouldn't really help to answer this question. However, I think we can get a "first-order approximation" by looking at the queries to root nameservers. Note that by looking at queries to the roots, we have no knowledge of client queries that are cache hits and those that are sent to the TLD nameservers due to cached referrals.

A couple months ago I posted some data from the OARC reply size test service. Recently some folks have been wondering if the situation is getting better or staying the same. Today I created a graph that shows the monthly trend: The data probably does not contain enough samples to ascertain any trends. The number of samples in each month is shown at the top of the bars.

Here at the RIPE 59 meeting in Lisbon, Joe Abley from ICANN and Matt Larson from VeriSign announced a plan and schedule for signing the Root Zone. A number of interesting tidbits:

1. The root zone will technically be signed by December 1, 2009 although ICANN and VeriSign will keep it to themselves for internal testing.
2. Between January and July 2010, the root servers will begin serving the signed zone one "letter" (server) at a time.
3. Also during this rollout period, actual DNSSEC keys will be replaced with "dummy" keys so that validation CANNOT occur.

Earlier this year, ICANN contracted with DNS-OARC to study the impacts of potential changes facing the DNS root zone. These changes include: (1) a significant increase in the number of gTLDs, (2) signing the zone with DNSSEC, and (3) continued increase in IPv6 glue.

I was recently asked if OARC had any data on the percentage of DNS queries with bad or disabled UDP checksums.

Over on the IETF namedroppers mailing list there is a discussion about DNSSEC and UDP fragmentation. See this thread, for example. Since the OARC Reply Size Test has been going for a couple of months now, I thought maybe it would have enough data for a decent analysis. Here's what I found: The sample isn't quite as large as I'd like.

A couple weeks ago I gave a lightning talk at NANOG46 titled DNSSEC, EDNS and TCP using data from before and after the .ORG zone became signed.