[dns-operations] DS algorithm statistics
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Apr 28 02:18:41 UTC 2017
Don't know whether anyone else has reported similar data, so I thought I'd share.
In a survey of 4419665 2LD/3LD domains with signed DS records in a public suffix
parent zone, the frequencies of DS algorithm and DS digest type are:
domains alg dt
------- --- --
2264239 8 2 (Alg 8 is by far the most prevalent)
1244736 7 2 (But 7 is still going strong)
694389 8 1
415606 13 2 (ECDSA P-256 has ~10% penetration)
219065 7 1
164304 5 2 (Algorithm 5 still has ~5 penetration)
68619 5 1
40094 8 3 (odd combination of RSASHA256 with GOST digest)
27664 13 1
25301 10 2 (RSA/SHA512 is not popular)
3503 13 4 (almost nobody is bothering with SHA384)
2359 8 4
970 3 2 (Wow, there are still some DSA domains)
882 10 1
683 14 2 (P-384 is not even on the radar)
237 5 4 (RSASHA1 alg with SHA-384 DS digest!)
137 14 1
91 1 1
78 13 3
60 3 1
57 14 4
54 12 2 (Very much "nobody" is using the GOST alg)
35 14 3
32 1 2
31 2 1
26 10 4
20 12 1
17 10 3
14 7 4
13 12 3
11 254 2 (Some private algorithms in the wild)
10 6 2 (A bit more DSA)
10 2 2 (What does alg 2 mean for DS?)
7 254 1
6 6 1
4 253 2
4 253 1
3 2 3
2 5 3
2 3 3
2 253 3
2 1 4
2 1 3
1 8 61 (Interesting digest you've got there)
1 7 3
1 2 4
1 13 21 (Ditto)
1 0 2 (0 is for CDS, don't think it does anything with DS)
The aggregates by algorithm are:
count alg
------- ---
1 0
122 1
42 2
1020 3
222562 5
12 6
1423667 7
2327596 8
25509 10
67 12
421981 13
710 14
11 253
18 254
By digest type:
1012236 1
4118266 2
40237 3
6199 4
1 21
1 61
Of course many domains have a mixture of DS RRs and digest types,
which is how the numbers add up to more than the total number of
domains.
--
Viktor.
More information about the dns-operations
mailing list