DNS Resolver Capabilities
Processed DNS Resolver capability results for probe resolvers (and the uptake or decline of capabilities) can be followed here: https://dnsthought.nlnetlabs.nl/
These ongoing, recurring every hour, measurements have been started on 20 April 2017 during the RIPE DNS Measurements Hackathon event to determine the IP address which is seen at the authoritative server when scheduling a query to a probe resolver. The last measurement also determines IPv6 capability of the resolver.
| msm_id | query | purpose | |
|---|---|---|---|
| 8310237 | o-o.myaddr.l.google.com |
TXT |
IP seen at authoritative |
| 8310245 | whoami.akamai.net |
A |
IP seen at authoritative |
| 8310366 |
<prb_id>.<time>.ripe-hackathon6.nlnetlabs.nl
|
AAAA |
IPv6 seen at authoritative (IPv6 capability) |
These ongoing, recurring every hour, measurements have been started on 20 April 2017 during the RIPE DNS Measurements Hackathon event to determine whether probe resolver can reach an authoritative over TCP when it is requested to do so with an answer with the TC bit (truncated) set. The reply also contains the IP address as seen on the authoritative.
| msm_id | query | purpose | |
|---|---|---|---|
| 8310360 |
<prb_id>.<time>.tc.ripe-hackathon4.nlnetlabs.nl
|
A |
TCP Capability |
| 8310364 |
<prb_id>.<time>.tc.ripe-hackathon6.nlnetlabs.nl
|
AAAA |
TCP on IPv6 Capability |
This ongoing, recurring every hour, measurements has been started on 20 April 2017 during the RIPE DNS Measurements Hackathon event and queries an non-existent domain to determine whether probe resolver do NXDOMAIN rewriting.
| msm_id | query | purpose | |
|---|---|---|---|
| 8311777 | nxdomain.ripe-hackathon2.nlnetlabs.nl |
A |
NXDOMAIN Rewriting |
This ongoing, recurring every hour, measurements has been started on 20 April 2017 during the RIPE DNS Measurements Hackathon event and returns whether or not the resolver does Qname minimization as described in RFC7816 and draft-ietf-dnsop-rfc7816bis
| msm_id | query | purpose | |
|---|---|---|---|
| 8310250 | qnamemintest.internet.nl |
TXT |
QNAME Minimization |
DNSSEC measurements have started 20 June 2017 on request for the rootcanary project. Within the rootcanary project zones with different DNSSEC parameters are signed every week. The parameters used, are represented in the name of the zone. Each zone has a secure A and AAAA resource record on the name secure, and a BOGUS A and AAAA resource record on the name bogus.
| DS Algorithm | DNSKEY Algorithm | NSEC version | ||
|---|---|---|---|---|
secure.bogus.
|
d1d2d3d4
|
a1a3a5
|
n1 |
.rootcanary.net |
secure.bogus.
|
d1d2d3d4
|
a6a7a8a10a12a13a14a15a16
|
n1n3
|
.rootcanary.net |
Whether or not a resolver supports the algorithm can be determined by doing an query for secure and doing one for bogus.
secure |
bogus |
status |
|---|---|---|
| Answer | Answer | not supported |
| Answer | - | supported |
| - | Answer | broken |
| - | - | broken |
The root zone is signed with DNSKEY algorithm 8 (RSA/SHA-256) and contains delegation signers with DS algorithm 2 (SHA-256), so for any of these zones to work, at least this combination must work, which can be tested with zone d2a8n1.rootcanary.net.
These are ongoing measurements repeated every hour against the probe resolvers to determine DNSKEY algorithm support:
| msm_id | query | purpose | |
|---|---|---|---|
| 8926853 | secure.d2a1n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSA/MD5 support |
| 8926854 | bogus.d2a1n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSA/MD5 support |
| 8926855 | secure.d2a3n1.rootcanary.net |
A |
DS SHA256, DNSKEY DSA support |
| 8926856 | bogus.d2a3n1.rootcanary.net |
A |
DS SHA256, DNSKEY DSA support |
| 8926857 | secure.d2a5n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSASHA1 support |
| 8926858 | bogus.d2a5n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSASHA1 support |
| 8926859 | secure.d2a6n1.rootcanary.net |
A |
DS SHA256, DNSKEY DSA-NSEC3 support |
| 8926860 | bogus.d2a6n1.rootcanary.net |
A |
DS SHA256, DNSKEY DSA-NSEC3 support |
| 8926861 | secure.d2a7n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSASHA1-NSEC3 support |
| 8926862 | bogus.d2a7n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSASHA1-NSEC3 support |
| 8926863 | secure.d2a8n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSASHA256 support |
| 8926864 | bogus.d2a8n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSASHA256 support |
| 8926865 | secure.d2a10n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSASHA512 support |
| 8926866 | bogus.d2a10n1.rootcanary.net |
A |
DS SHA256, DNSKEY RSASHA512 support |
| 8926867 | secure.d2a12n1.rootcanary.net |
A |
DS SHA256, DNSKEY ECC-GOST support |
| 8926868 | bogus.d2a12n1.rootcanary.net |
A |
DS SHA256, DNSKEY ECC-GOST support |
| 8926869 | secure.d2a13n1.rootcanary.net |
A |
DS SHA256, DNSKEY ECDSAP256SHA256 support |
| 8926870 | bogus.d2a13n1.rootcanary.net |
A |
DS SHA256, DNSKEY ECDSAP256SHA256 support |
| 8926871 | secure.d2a14n1.rootcanary.net |
A |
DS SHA256, DNSKEY ECDSAP384SHA384 support |
| 8926872 | bogus.d2a14n1.rootcanary.net |
A |
DS SHA256, DNSKEY ECDSAP384SHA384 support |
| 8926873 | secure.d2a15n1.rootcanary.net |
A |
DS SHA256, DNSKEY ED25519 support |
| 8926874 | bogus.d2a15n1.rootcanary.net |
A |
DS SHA256, DNSKEY ED25519 support |
| 8926875 | secure.d2a16n1.rootcanary.net |
A |
DS SHA256, DNSKEY ED448 support |
| 8926876 | bogus.d2a16n1.rootcanary.net |
A |
DS SHA256, DNSKEY ED448 support |
These are ongoing measurements repeated every hour against the probe resolvers to determine DS algorithm support:
| msm_id | query | purpose | |
|---|---|---|---|
| 8926887 | secure.d3a8n1.rootcanary.net |
A |
DS GOST, DNSKEY RSASHA256 support |
| 8926888 | bogus.d3a8n1.rootcanary.net |
A |
DS GOST, DNSKEY RSASHA256 support |
| 8926911 | secure.d4a8n1.rootcanary.net |
A |
DS SHA384, DNSKEY RSASHA256 support |
| 8926912 | bogus.d4a8n1.rootcanary.net |
A |
DS SHA384, DNSKEY RSASHA256 support |
These ongoing measurements, repeated every 4 hours, have started 19 July 2018 on request for the rootcanary project, to measure the Root Trust Anchors present at the DNSSEC validating resolvers with the Root Trust Anchor mechanism described in RFC8509. Results of those measurements need to be carefully compared according the method described in RFC8509.
| msm_id | query | purpose | |
|---|---|---|---|
| 15283670 | root-key-sentinel-not-ta-19036.d2a8n3.rootcanary.net |
A |
Root Trust Anchor Sentinel support |
| 15283671 | root-key-sentinel-not-ta-20326.d2a8n3.rootcanary.net |
A |
Root Trust Anchor Sentinel KSK 20326 Availability |
| 16430285 | root-key-sentinel-is-ta-20326.d2a8n3.rootcanary.net |
A |
Root Trust Anchor Sentinel KSK 20326 Availability |
These ongoing measurements, repeated every hour, have started 11 October 2018 on request for the rootcanary project, at the time to measure the time the root KSK rollover took to propagate to the resolver caches of RIPE Atlas probe resolvers. They can also be used to monitor how root ZSK roll-overs propagate to the resolver caches. ZSK roll-overs happen every three months.
| msm_id | query | purpose | |
|---|---|---|---|
| 16456440 | . |
DNSKEY |
Root DNSKEY rollover |
| 16456441 | . |
RRSIG |
Root DNSKEY rollover |
This ongoing measurements, recurring every four hours, has started 30 January 2019 for the DNS flag day 2019 event, to measure the uptake of resolvers that do not retry if sending with EDNS(0) option results in no answer. The query reaches a specially crafted authoritative nameserver that drops all queries with EDNS(0) option.
| msm_id | query | purpose | |
|---|---|---|---|
| 19256455 | $r.$p.$t.flagday.rootcanary.net. |
A |
DNS Flag Day measurements with qbuf |
| msm_id | query | purpose | |
|---|---|---|---|
| 23865475 | $r-$t-$p.invalid.valid4.rootcanary.net. |
A |
IPv4 Route origin Validation |
| 23865476 | $r-$t-$p.invalid.valid6.rootcanary.net. |
AAAA |
IPv6 Route origin Validation |