The secspider.cs.ucla.edu. DLV records are obtained from our existing DNSSEC crawl (once per day). We have pollers in several locations in different organizations, different continents, and so forth and each poller attempts to obtain a DNSKEY RRset from a zone. The secspider.cs.ucla.edu. zone only includes DLV records for DNSKEY RRsets that are consistent across all pollers for a zone. Specifically, for each zone polled by SecSpider, the DNSKEY sets must be consistent across all pollers except pollers that were unable to see any keys at all (failed pollers). If a zone is seen to have different DNSKEY sets from different pollers, or serves expired keys, the values are not entered into secspider.cs.ucla.edu. In essence, this zone only has DLV records for DNSKEY sets that are the same from all online pollers in SecSpider.

To query secspider.cs.ucla.edu type:
dig <zone_name>.dlv.secspider.cs.ucla.edu. dlv
- or -
dig se.dlv.secspider.cs.ucla.edu. dlv

We hope that zone administrators will be willing to periodically query SecSpider to find out if their DNSKEY sets are accurately seen by SecSpider's pollers (and of course let us know if any issues or concerns). Furthermore, we hope this new zone will be a useful service for people to check if the DNSKEYs that their resolvers have match the view seen from SecSpider's distributed vantage point.

SecSpider polls its list of zones every night, and generates and signs secspider.cs.ucla.edu. afterwards. If you would like to be added to SecSpider's polling, please visit us at: http://secspider.cs.ucla.edu/ and register. Submitted zones will be added to the next morning's crawl.

Most importantly, we are eager for feedback! Specifically (but not limited to) is there another view that would be useful? Is there more information that would make it easier to produce subsets of this list of DLVs. What subsets would be useful, etc.

Wed, 12 Mar 2008 10:31:31 PDT

Comments: