FAQ

SecSpider the DNSSEC Monitoring Project

|

|

|

|

|

|

|

|

Frequently Asked Questions (FAQ)

What does consistency mean?
What is a stale RRset?
How do you determine DNSKEY lifetime?
How do you determine trust anchors?
How do you determine islands of trust?
What is the format for the DS and DNSKEY record files?
How do I use the signed DS and DNSKEY record files?
Can we access your raw data?
What is a "Production" zone?

Q:	What does consistency mean?
A:	The consistency is the percentage of active pollers who found identical data for a given data set. If any data item from a set of data observed by the pollers differs, those sets are considered inconsistent.
Q:	What is a stale RRset?
A:	A stale RRset is an RRset that is vulnerable to replay. This occurs when an already-signed RRset is resigned while it's previous signature is still valid AND the new RRset has new values. An example would be if a DNSKEY set is signed for a month, and during that month (say on day 2) an existing DNSKEY is replaced (or the set is just augmented with a new DNSKEY). In any similar case, the RRset has changed, but the old signature will still verify it for the remainder of the month. We call this set "stale."
Q:	How do you determine DNSKEY lifetime?
A:	The RRSIG attached to the DNSKEY RRset determines the DNSKEY lifetime.
Q:	How do you determine trust anchors?
A:	We look for DS records for a zone's keys in the parent zone. If we locate any, we attempt to cryptographically verify them. If at least one of the records is verified to be correct, the parent zone is considered the trust anchor.
Q:	How do you determine islands of trust?
A:	We trace all trust delegations (i.e., DS records) as far up the DNS hierarchy as possible. Once we reach a zone whose parent does not contain a DS record, we consider that zone the trust anchor for an island of trust. All zones for which there is a delegation chain from that anchor are considered parts of the island.
Q:	What is the format for the DS and DNSKEY record files
A:	Please refer to the usage page.
Q:	How do I use the signed DS and DNSKEY record files?
A:	We provide cryptographic signatures for the DS and DNSKEY records so end-users can verify that the data values have not been tampered with. In order to verify them, you need PGP software (such as GPG) and our public key, which can be found on the main page. Please refer to the documentation for your PGP software to see how to verify signatures.
Q:	Can we access your raw data?
A:	Yes, contact us to work out the details.
Q:	What is a "Production" zone?
A:	SecSpider attempts to separate DNSSEC test zones from those that seem to be production. The goal is to aid people in finding information about zones, and to differentiate between behaviors seen in actual deployments, and test-zone behavior. When we crawl our list of zones, we also test each zone to see if it has been configured with either a "www" A record, or an MX record, and if either of them are online and accepting connections. Any zone that meets these criteria is considered a "Production" zone. In order to correct for zones that are in production, but are missed by our automated tests, we offer the option for users to specify that a zone is production (regardless of whether is has a www or MX record, etc.).

Back