Well, an ascii pie meanwhile.

I’m a fan of the DNSSEC blog of SURFNET, a non-profit “task organisation” forming part of SURF, the Dutch higher education and research partnership for ICT-driven innovation.

From almost 5 months they’re publishing in their blog all the steps they’re taken in implementing DNSSEC in their networks, where they provide recursive DNS service to their clients. I think there’s a lack of information yet for the validation side of the dnssec infraestructure, so blogs like this are much needed.

Some weeks ago they posted a quiz. A graph of the validation rate they were seeing in their resolvers. The curve shows a great drop in one week, and there was no clear reason for that. I realized that besides that drop, was a spike one month or so before. If you follow the curve was steadily growing, but in one month was a huge hill, and then it continues with the normal grow. So I thought that something had to be over counting in that weeks. I remembered that .SE and .GOV were in that weeks adding their keys to the root, and they had the keys also in the ITAR before, so in those weeks their keys were in both places at the same time. As surfnet are using the root and ISC’s DLV as trust anchors (who use ITAR), so maybe the spike was for a double counting.

The theory sounded plausible, but there was a confirmation step with the people from Unbound (the server software they use), and it was confirmed. There’s a double validation because the DLV lookups are done using recursion.

There was an attempt to give me a real pie, but sadly I couldn’t find any store in my country who accepted orders from outside. But an ascii pie is enough and I’m happy to have helped the guys from surfnet!