On Thu, Sep 03, 2015 at 03:32:12PM +0200, Giovane C. M. Moura wrote:
> https://stats.sidnlabs.nl/
Quick question/observation about the TLSA query portion of the
data-set. At least for SMTP, the query pattern is:
; sent to .nl authoritative servers when cache is cold
;
Q: example.nl. IN MX ?
A: example.nl IN MX 0 mail.example2.nl
; sent to .nl authoritative servers when cache is cold
; and the MX host domain is not enclosed by the next-hop
; domain (otherwise the query goes to the next-hop domain's
; authoritative servers learned above).
;
Q: mail.example2.nl. IN A ?
A: mail.example2.nl. IN A 192.0.2.1
; sent to example2.nl authoritative servers when cache is cold,
; bypassing the .nl servers, because of the immediately preceding
; address lookup
;
Q: _25._tcp.mail.example2.nl. IN TLSA ?
A: _25._tcp.mail.example2.nl. IN TLSA 3 1 1 <pkey-digest>
So it seems that TLSA queries observed at the .nl level will
substantially under-represent the actual query load even for cold
caches.
I'd be curious to know what you're seeing for the dominant "_<port>"
number in the observed TLSA queries, and whether any particular
resolvers are responsible for the bulk of the "_25" queries. It
may well be that these are mostly originated by testing tools
(rather than real MTAs) that skip or parallelize the required
address queries.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
