The Root Canary Project has the goal to monitor and measure the rollover
of the DNSSEC root KSK. In this project we use over 9000 RIPE Atlas probes and
ten-thousands of vantage point of the Luminati VPN network to continuously
monitor recursive resolvers during the 9 months period of the rollover.
From each vantage point we query for testing domains that have bogus and valid
signatures of the 12 DNSSEC algorithms that are standardized by the IETF.
Thereby we can measure how recursive resolvers behave, for example, when the
new KSK of the root becomes active.
Additionally, we gain operational insights into the behavior of recursive
resolvers in the wild that go beyond the root KSK rollover. For example, we
now know that the majority of the observed validating resolvers are stable and that
some resolver implementations have incorrect behavior when they encounter
certain DNSSEC algorithms.
In this presentation we want dig deeper in the support of DNSSEC algorithms
and want to show how well recursive resolvers in the wild support the
different signing algorithms, try to explain why some fail, and compare these
results with the actual deployment of DNSSEC in major gTLDs and ccTLDs. Until
the 27th DNS-OARC workshop, we will have over 3 months of continuous
measurements at our disposal.
We want to invite the community to provide feedback to our measurements and
help us to improve our ground truth data set. Therefore we want to introduce a
small tool with which operators can contribute to the Root Canary Project and
to studies like the one presented.
In this presentation we want to show how recursive resolvers
in the wild support the wide range of different DNSSEC algorithms. We want to
discuss how well new algorithms are supported, how stable resolvers validate
over time, and compare our results with the deployment of DNSSEC in different
TLDs. This study is based on the Root Canary Project and we would also like to
invite operators to provide feedback and ground truth data to our