[dns-operations] Measuring Occurrence of DNSSEC Validation

Matthäus Wander matthaeus.wander at uni-due.de
Thu Sep 13 22:26:59 UTC 2012


Hi,

here are the results of my DNSSEC validation measurements:
http://www.vs.uni-due.de/personal/wander/dnssec_validation.pdf

The online test is available here: http://dnssec.vs.uni-due.de

Please note that the VeriSign test explained in the paper is the
Picard/Borat test at http://test.dnssec-or-not.net which you probably
have seen before. It is NOT the prefetch test that Duane announced recently.

Abstract:
"DNSSEC is a security extension that adds public-key signatures to the
Domain Name System for the purpose of data authenticity and integrity.
While DNSSEC signatures are being deployed on an increasing number of
name servers, little is known about the deployment advancements of
DNSSEC validation. In this paper we present a methodology to determine
whether a client is protected by DNSSEC validation. We applied our
methodology over a period of 4 months collecting results from different
data sources. After data cleaning, we gathered 76,364 results from
59,985 distinct IP addresses, out of which 4.5% had validation enabled.
The ratio varies significantly per country, with Sweden, the Czech
Republic and the United States having the largest ratios of validating
clients in the field."

Kind regards,
Matt

-- 
Universität Duisburg-Essen
Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5156 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120914/6f1664f6/attachment.bin>


More information about the dns-operations mailing list