[Yeti DNS Discuss] Multiple ZSK experiment (MZSK) launching today

dbgong dbgong at biigroup.cn
Fri Feb 19 09:43:52 UTC 2016


Now we have 6 ZSKs in Yeti root zone.  
We keep monitoring on 3 DMs , 15 yeti root name servers and some recursive servers.

After add the sixth ZSK, I found that query DNSKEY on yeti.aquaray.com via UDP failed.
dig return timeout and we capture the packet , only found the query.

I have tried the test from BII(China), a VPS in Germany, both failed.
But when query DNSKEY via TCP, It' OK. 

So that is the UDP fragments lost in somewhere.

And we try query at our monitoring page(https://yeti-dns.org/monitor.html), the server's location is in USA. 
The result is OK. 

The response message size is 1471(include 6 zsks, 1 KSK, and 1 RRSIG).

Do the test:
dig @yeti.aquaray.com . dnskey +dnssec +all
dig @yeti.aquaray.com . dnskey +dnssec +all +vc  

On 2016-02-17  17:37 
  Shane Kerr  <shane at biigroup.cn> wrote:
We are finally starting our first formal Yeti experiment!
You don't have to do anything, but please do report any problems that
you see to this discuss list.
The latest document on the experiment (which should get merged into the
main repository shortly):
Today we are going to start adding additional ZSK to the Yeti root
zone. Our goal is to get 6 ZSK into the Yeti root zone. This will let
us know how the DNS works if we were to have one ZSK for each DM
operator and they were all rolling the ZSK at the same time.
We are currently in a regular ZSK roll. I didn't account for this
(oops), but it shouldn't be a problem. We will be adding four ZSK, one
per serial number change, until we have 6 total. After the current key
rolls out we'll add another back in to return to 6 for the remainder of
this initial phase of the experiment. The timeline looks like this:
2016021700 -> zsk1
2016021701 -> zsk2
2016021800 -> zsk3
2016021801 -> zsk4
zsk5 will be added when current the ZSK (11844) is deleted, next
Wednesday, with serial 2016022401.
We have monitoring in place both with scripts to check that DNSSEC
validation continues to work, as well as RIPE Atlas measurements to
observe any impact as our packet size grows.
discuss mailing list
discuss at lists.yeti-dns.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20160219/08f17510/attachment.html>

More information about the discuss mailing list