cluster analysis of mismatches
Keeping in mind that analysis is not going to be 100 % automated, we still need a tool to help with detecting clusters of related failures.
It would be valuable to have tool which walks through DNS tree for multiple queries and clusters queries according to features observed in the DNS tree.
Example
Multiple sites do not reply correctly to query site.example. DNSKEY
but at the same time these sites do not have site.example. DS
record in the parent zone. For these sites, even though they are not behaving correctly, the resolution algorithm can be modified not to ask for DNSKEY
if DS
does not exist. This would be effective workaround which is still standard-compliant.
There are multiple issues like this. To prioritize work it would be incredibly valuable to cluster detected mismatches, e.g. into cluster "does not reply for DNSKEY, does not have DS in parent". Then we can compare sizes of clusters and decide what to do first, what can be postponed, and what should be ignored completely because it is totally protocol non-compliant.