On 10/25/23 18:19, Johan Stenstam wrote:
With “scanners” I refer to CDS scanners and CSYNC scanners. These things issue a gazillion DNS queries, over and over and over, with an extremely small catch of “new CDS” or “new CSYNC” records. They get hit by rate limiting measures from the large DNS providers
If that's the case, there's a significant problem. Do you have numbers on the extent of the problem / how much of an issue that is for your daily runs at .se?
And not only from one vantage point but from several, located around the world.
That's only needed for unauthenticated bootstrapping; both authenticated bootstrapping and CDS-induced DS updates don't need multiple vantage points. Extra vantage points are a mitigation for the (prevalent) lack of signatures during bootstrapping; once authentication is handled, there's no need for it.
Furthermore, for unsigned delegations, all the nameservers are queried. Every time. It’s a lot of DNS queries.
Where's that written? I don't think it's correct. For example, if you find on the same nameserver that you queried a CDS/CDNSKEY RRset that indicates no change over the existing DS record, then there's no point in looking at other nameserver. (They would either confirm that no update should happen, or they would be contradictory, in which case no update should happen.) Together with the vantage-point considerations, I think the actual number of queries is about 10x lower than if all NS are always asked from several vantage points.
But do I know of any real life large scale deployments of DNSSEC for corporate internal zones?
I may be wrong, but I believe Salesforce to be an example. Best, Peter -- https://desec.io/ _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
