[dns-operations] Research Project: Identifying DNSSEC Validators

Matthäus Wander matthaeus.wander at uni-due.de
Wed Sep 5 00:30:52 UTC 2012


Am 04.09.2012 22:57, schrieb Wessels, Duane:
> Within Verisign Labs we have a project underway to quantify the number of
> DNSSEC-validating resolvers in use on the Internet.  In particular, we
> want to identify recursive name servers which have configured the root
> zone trust anchor.  We find this data a useful metric for DNSSEC adoption
> and especially helpful for informing discussions about key rollovers for
> the root zone.

My research group has a similar project that you may be interested in.
We run a DNSSEC validation test with user feedback at
http://dnssec.vs.uni-due.de (for fun) and a hidden test in some websites
(for research). We gathered 69k results from 54k distinct IP addresses
since May this year. The validation ratio was 4.4% which is close to the
3.25% of the current VeriSign 'prefetch' results. Our results vary
significantly by country, US is ~13% (Comcast...), some European
countries up to 4% and the others are basically zero (this might be
inaccurate, the majority of our results are from DE and US).

> In order for our our measurements to be meaningful, we need to receive
> queries from a wide variety of recursive name servers.  To achieve this
> goal we ask members of the DNS and networking communities to assist by
> adding the following single line of HTML code to your web pages:
> <a href="http://prefetch.validatorsearch.verisignlabs.com"></a>
> This HTML snippet should have no visible impact on a rendered page.  Since
> nearly all web browsers now implement DNS prefetching, the code above
> results in a DNS query for the name shown and allows us to characterize
> the recursive name server that the query goes through.

Our test methodology is to load 1px images from two domain names, one
correctly signed and the other one with a broken signature.

> Please note that we are not interested in identifying individual users who
> have loaded the web page.  The name above points to the localhost IP address
> ( so even if someone does manage to "click" on it, that request
> does not reach us.

Definitely an advantage over our test as we generate more traffic and
log HTTP requests.

> For some preliminary results, please visit the project web page at
> http://validatorsearch.verisignlabs.com/

Here's some more information about our measurements:

I'm right now putting all results together in a paper for PAM2013
(submission is next week).

Kind regards,

Universität Duisburg-Essen
Fachgebiet Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg
Tel: +49 203 379 2767

More information about the dns-operations mailing list