[dns-operations] Research Project: Identifying DNSSEC Validators
matthaeus.wander at uni-due.de
Wed Sep 5 00:30:52 UTC 2012
Am 04.09.2012 22:57, schrieb Wessels, Duane:
> Within Verisign Labs we have a project underway to quantify the number of
> DNSSEC-validating resolvers in use on the Internet. In particular, we
> want to identify recursive name servers which have configured the root
> zone trust anchor. We find this data a useful metric for DNSSEC adoption
> and especially helpful for informing discussions about key rollovers for
> the root zone.
My research group has a similar project that you may be interested in.
We run a DNSSEC validation test with user feedback at
http://dnssec.vs.uni-due.de (for fun) and a hidden test in some websites
(for research). We gathered 69k results from 54k distinct IP addresses
since May this year. The validation ratio was 4.4% which is close to the
3.25% of the current VeriSign 'prefetch' results. Our results vary
significantly by country, US is ~13% (Comcast...), some European
countries up to 4% and the others are basically zero (this might be
inaccurate, the majority of our results are from DE and US).
> In order for our our measurements to be meaningful, we need to receive
> queries from a wide variety of recursive name servers. To achieve this
> goal we ask members of the DNS and networking communities to assist by
> adding the following single line of HTML code to your web pages:
> <a href="http://prefetch.validatorsearch.verisignlabs.com"></a>
> This HTML snippet should have no visible impact on a rendered page. Since
> nearly all web browsers now implement DNS prefetching, the code above
> results in a DNS query for the name shown and allows us to characterize
> the recursive name server that the query goes through.
Our test methodology is to load 1px images from two domain names, one
correctly signed and the other one with a broken signature.
> Please note that we are not interested in identifying individual users who
> have loaded the web page. The name above points to the localhost IP address
> (127.0.0.1) so even if someone does manage to "click" on it, that request
> does not reach us.
Definitely an advantage over our test as we generate more traffic and
log HTTP requests.
> For some preliminary results, please visit the project web page at
Here's some more information about our measurements:
I'm right now putting all results together in a paper for PAM2013
(submission is next week).
Fachgebiet Verteilte Systeme
Bismarckstr. 90 / BC 316
Tel: +49 203 379 2767
More information about the dns-operations