> I'd be curious to know what you're seeing for the dominant "_<port>" >> number in the observed TLSA queries, and whether any particular >> resolvers are responsible for the bulk of the "_25" queries.
In the previous e-mail I sent the client's source ports counts, in addition to the counts per IP. Now I see you meant something else, the port number listed in the qname: E.g: the "25" part in _25._tcp.mail.example2.nl. So for that, I parsed the query as follows, in SQL/Impala syntax: select regexp_extract(qname, "^(_[0-9]*)\.",0) as label, count(1) as total from dns.queries where qtype=52 and year='2015' group by label order by total desc; The results, for the top 20, are: Port,TotalQueries 25,93592 443,36536 NA,4011 587,885 465,878 8443,98 2222,70 4040,66 8888,38 2223,35 5222,25 48443,24 5001,23 1443,20 448,20 2087,16 4443,15 14443,15 2443,14 So it's more "popular" on e-mail than web. Just let me know if you need the entire csv. /giovane _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop