A couple weeks ago I gave a lightning talk at NANOG46 titled
DNSSEC, EDNS and TCP using data from before and after the .ORG zone became signed.
Afilias and
PIR have been gracious enough to share data from this event with DNS-OARC.
As we
recently speculated, the .ORG data clearly shows that queries with DO=1 and a small EDNS buffer size leads to an increase in DNS queries over TCP:
Prior to publishing the signed zone, this server recieved very little TCP traffic (maybe once per 5 seconds). After the signed zone was fully published at 4PM, the TCP query rate is closer to
75 60/second.
Next I looked at what types of queries are in the TCP traffic. The following plot shows it is mostly A, MX, and AAAA:
Prior to signing, the TCP traffic is just noise and should be ignored. After signing we see about 70% A, 15% MX, and 10% AAAA. This is more-or-less normal. Upon comparison to the
UDP query types, we see that TCP has a higher percentage of A queries, lower percentage of MX, and a higher percentage of AAAA.
I also looked at the Rcodes in the TCP traffic:
It shows 82% NOERROR and 17% NXDOMAIN for TCP, whereas it is 71% and 29% respectively for
UDP. In other words, the TCP queries are not due a particular query type or response code.
Update
I was asked for some more specific numbers since it can be difficult to determine values from the logarithmically scaled graphs. The following table shows hourly mean values for the data in the first plot above. All numbers are queries per second:
Hour | UDP | EDNS=512 | TC=1 | TCP |
12:00:00 | 3799 | 15.4 | 0.00 | 0.23 |
13:00:00 | 4271 | 16.8 | 0.00 | 0.21 |
14:00:00 | 4350 | 17.1 | 3.23 | 1.82 |
15:00:00 | 4305 | 26.7 | 21.1 | 13.3 |
16:00:00 | 5002 | 112.6 | 96.3 | 59.9 |
17:00:00 | 4923 | 100.7 | 85.3 | 56.9 |
18:00:00 | 4581 | 99.2 | 84.3 | 57.9 |