[dns-operations] DS algorithm statistics

Richard Lamb richard.lamb at icann.org
Fri Apr 28 04:07:39 UTC 2017 

Nice. Thank you.

FWIW I publish 2ld algs at
https://rick.eng.br/dnssecstat/
and just for tld
https://www.co.tt/dnssec_scan_val.html



> -----Original Message-----
> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf
> Of Viktor Dukhovni
> Sent: Thursday, April 27, 2017 7:19 PM
> To: dns-operations <dns-operations at dns-oarc.net>
> Subject: [dns-operations] DS algorithm statistics
> 
> 
> Don't know whether anyone else has reported similar data, so I thought I'd
> share.
> 
> In a survey of 4419665 2LD/3LD domains with signed DS records in a public
> suffix parent zone, the frequencies of DS algorithm and DS digest type are:
> 
>  domains alg  dt
>  ------- ---  --
>  2264239   8   2    (Alg 8 is by far the most prevalent)
>  1244736   7   2    (But 7 is still going strong)
>   694389   8   1
>   415606  13   2    (ECDSA P-256 has ~10% penetration)
>   219065   7   1
>   164304   5   2    (Algorithm 5 still has ~5 penetration)
>    68619   5   1
>    40094   8   3    (odd combination of RSASHA256 with GOST digest)
>    27664  13   1
>    25301  10   2    (RSA/SHA512 is not popular)
>     3503  13   4    (almost nobody is bothering with SHA384)
>     2359   8   4
>      970   3   2    (Wow, there are still some DSA domains)
>      882  10   1
>      683  14   2    (P-384 is not even on the radar)
>      237   5   4    (RSASHA1 alg with SHA-384 DS digest!)
>      137  14   1
>       91   1   1
>       78  13   3
>       60   3   1
>       57  14   4
>       54  12   2    (Very much "nobody" is using the GOST alg)
>       35  14   3
>       32   1   2
>       31   2   1
>       26  10   4
>       20  12   1
>       17  10   3
>       14   7   4
>       13  12   3
>       11 254   2   (Some private algorithms in the wild)
>       10   6   2   (A bit more DSA)
>       10   2   2   (What does alg 2 mean for DS?)
>        7 254   1
>        6   6   1
>        4 253   2
>        4 253   1
>        3   2   3
>        2   5   3
>        2   3   3
>        2 253   3
>        2   1   4
>        2   1   3
>        1   8  61   (Interesting digest you've got there)
>        1   7   3
>        1   2   4
>        1  13  21   (Ditto)
>        1   0   2   (0 is for CDS, don't think it does anything with DS)
> 
> The aggregates by algorithm are:
> 
> 	  count alg
>         ------- ---
> 	1	0
> 	122	1
> 	42	2
> 	1020	3
> 	222562	5
> 	12	6
> 	1423667	7
> 	2327596	8
> 	25509	10
> 	67	12
> 	421981	13
> 	710	14
> 	11	253
> 	18	254
> 
> By digest type:
> 
> 	1012236	1
> 	4118266	2
> 	40237	3
> 	6199	4
> 	1	21
> 	1	61
> 
> Of course many domains have a mixture of DS RRs and digest types, which is
> how the numbers add up to more than the total number of domains.
> 
> --
> 	Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list