[dns-operations] Some DNSSEC adoption data points, anyone know of more comprehensive surveys?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Apr 30 05:23:49 UTC 2018
I was looking around for DNSSEC-adoption statistics that might be more comprehensive than what I've gathered as a side-effect of the DANE-adoption survey, but so far I am just finding significantly smaller numbers, so I decided to post some numbers below. If anyone is aware of broader surveys that reach higher totals, I'd like to know where my gap lies.
Total secure delegations from public-suffix domains: 5,906,891
The top 10 suffixes with DNSSEC-delegated subdomains are:
1417555 .nl
892186 .se -- based on full zone access
874038 .com -- based on full zone access
420095 .fr -- based on 30-day old opendata.fr name list
340503 .no
304801 .cz
301306 .eu
230590 .com.br
150053 .nu -- based on full zone access
131356 .be
Many of the domains are likely parked, so lookup failure may not matter, in
any case ~2.0% don't return validated DNSKEY RRsets:
Delegations where the DNSKEY RRset validates: 5,787,259
Of domains with a valid DNSKEY RRset MX lookups very rarely fail
to return either a non-empty signed RRset or working denial of
existence:
Secure MX RRsets at delegated zone apex: 5,786,858
With just 401 (0.007%) MX lookup failures for domains with a working
DNSKEY RRset.
An additional 158,170 child domains of public suffixes have valid DNSSEC-signed MX records by virtue of being served out of the parent zone rather than delegated. This makes DANE for SMTP possible in principle for 5,945,028 domains of which at last scan 205,396 (3.4%) have TLSA records for at least all the primary MX hosts, and only 1409 of those domains fail to have TLSA records for some secondary MX hosts.
The top 10 public suffixes serving non-delegated domains are:
116074 de
14362 info
9394 at
6481 pw
2958 in
1047 uk
1012 ma
881 jp
862 lk
791 mobi
--
Viktor.
More information about the dns-operations
mailing list