Re: [DNSOP] Updated KSK Sentinel document

Joe Abley <jabley@hopcount.ca> Tue, 13 February 2018 18:18 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2135912D868 for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 10:18:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7mUSKH80Pjm for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 10:18:35 -0800 (PST)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3C1C124D68 for <dnsop@ietf.org>; Tue, 13 Feb 2018 10:18:35 -0800 (PST)
Received: by mail-io0-x233.google.com with SMTP id m11so22263184iob.2 for <dnsop@ietf.org>; Tue, 13 Feb 2018 10:18:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SS2WhFozzu7d6N7k8pgomgYW/2B9k4wAmgkcp4mArPE=; b=Q4+xo6AIbnRaX2krJNqHci9ie3g6LOellb4yqNg3UypPx6NnaP1Ghw0sHtRVYeCzIB of1CDo8ed8UcB3zUpQTdJvrTT+7mOutQUJkeAQgCtytcUhRPr0OJsdbYmP0URZZC+B98 ddqMVYqojj1NCvqRSbNwENv6xc6Y5nW6jXEj4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SS2WhFozzu7d6N7k8pgomgYW/2B9k4wAmgkcp4mArPE=; b=OjrYklTh4z/xticVGezCjeO6hvojbmUPXDzfp/WuVf4Sxa/ZilDO3pHpGnnZx5+Bog +u5IyXCps/QI4NF7sGwatiiQVnNF92ogCNCgHWOhXrEZHok2lLNl1a3A8/4RgybcEl83 YUt0v9GDuA4oA5HotQ5bn0ktvQ6RMfJu6z30WzP07J2WlwqlwcfpT45iukudnpaUIAXc S+8HTCmaW/IqIw2aoL3KKzf3pQLoQBjx6uxk4kPuGU8DBsh5DJdbugMQ5WGpV+LvDm7b Sl6832QkBqq22V25TS3vLZDsP0hUR49lfAk7oYnlP6tBcXonyI7VCNNSQwmcDu94lonk nxfA==
X-Gm-Message-State: APf1xPAGF5BW5XMzjJH6226DrlTlgDMbSidLUoBU896ZL62XqvBJ8Oti SV77dMafxRHni+PxTdpQ1XA4og==
X-Google-Smtp-Source: AH8x224zI2sfex+g/zDjAgGzr6T+gHBR9TPshjQVzTTHn3outCVfO3N+RFFARJZZIx35go7IL1aqtQ==
X-Received: by 10.107.139.195 with SMTP id n186mr2445976iod.49.1518545915030; Tue, 13 Feb 2018 10:18:35 -0800 (PST)
Received: from node-131fehd9hezw2t337z.ipv6.teksavvy.com ([2607:f2c0:101:203:5439:db88:2325:780f]) by smtp.gmail.com with ESMTPSA id v2sm13823916iob.72.2018.02.13.10.18.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Feb 2018 10:18:33 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CA+nkc8AeY2+Azw7Rk-y4s5Gfp=amYZNiN=_kxtetgS9s8kcEYg@mail.gmail.com>
Date: Tue, 13 Feb 2018 13:18:29 -0500
Cc: Warren Kumari <warren@kumari.net>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <526EAF07-7F4F-49AE-B68A-3C71DE0FDE8A@hopcount.ca>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com> <CA+nkc8AeY2+Azw7Rk-y4s5Gfp=amYZNiN=_kxtetgS9s8kcEYg@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rmiegHj63to5o4qmwtR4Y65dvn8>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2018 18:18:37 -0000

On 13 Feb 2018, at 12:10, Bob Harold <rharolde@umich.edu> wrote:

> Thanks, the explanation helped.  I finally realized that it only works if all (or most) validating resolvers are updated to support this new feature, otherwise we have a bunch of responses that are uncertain.

Based on numbers of queries arriving at ORG servers, the top dozen or so ASes account for over half of all resolver traffic. Most of those ASes (there are a couple of exceptions) originate almost all of this DNS traffic from a small number of source addresses.

So "most", in practice, at least by those metrics, might not be a very large number. There is a very long tail.


Joe