John Levine wrote: > The first surprise I found is that once I turned it on, nearly every > query, like 99%, asks for DNSSEC. Is this typical or do I have an odd > set of clients?
If you mean the "DNSSEC OK" EDNS header flag, yeah, that's typical. I believe RFC 3225 is the relevant reference. > Another surprise is that I'm getting a lot of repeated DNSKEY queries > even though the TTL is an hour. One repeat customer is Cloudflare, > another is pfsense22.plan-gis.net, at some random company in Germany. > My theories are A) a bunch of different caches behind a load balancer, > B) a too small cache, C) buggy software. Cloudflare specifically may have many DNS resolvers behind a single IP: https://blog.cloudflare.com/cloudflare-servers-dont-own-ips-anymore "With a port slice of say 2,048 ports, we can share one IP among 31 servers." -- Robert Edmonds _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
