[dns-operations] November 2018 DNSSEC stats
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Dec 1 04:21:41 UTC 2018
[ With credit due to Paul Vixie of Farsight Security for supporting
this survey with ongoing data snapshots that help to significantly
improve the survey's coverage. Also of course ICANN for the gTLD
data via CZDS and data contributions from the TLD registries for
.CH, .COM, .DK, .INFO, .IS, .NAME, .LI, .NL and .ORG and open access
for .FR, .NU and .SE. More data sources of ccTLD signed delegations
welcome.
With help with Wes Hardaker, the data in this report are updated
daily at <http://stats.dnssec-tools.org/> (work-in-progress, but
fairly complete). ]
The November 2018 numbers from the DANE/DNSSEC survey are:
Total DS RRsets: 8,909,096
Validatable apex DNSKEY RRsets: 8,799,197
DNSKEY parameter frequency (1000 or more instances), by zone count:
kskalgs | flags | proto | alg
--------+-------+-------+-----
4742 | 257 | 3 | 3
327338 | 257 | 3 | 5
2193175 | 257 | 3 | 7
4199903 | 257 | 3 | 8
136019 | 257 | 3 | 10
1875826 | 257 | 3 | 13
61906 | 257 | 3 | 14
--------+-------+-------+-----
zskalgs | flags | proto | alg
--------+-------+-------+-----
4742 | 256 | 3 | 3
98358 | 256 | 3 | 5
2179912 | 256 | 3 | 7
4135487 | 256 | 3 | 8
135798 | 256 | 3 | 10
814230 | 256 | 3 | 13
60980 | 256 | 3 | 14
--------+-------+-------+-----
RSA key size distribution (1000 or more instances), by zone count:
kskdomains | bits
-----------+------
68239 | 4096
5169843 | 2048
305744 | 1536
3188 | 1280
1308866 | 1024
8055 | 512
-----------+------
zskdomains | bits
-----------+------
13750 | 4096
114635 | 2048
310476 | 1280
6101754 | 1024
7857 | 512
-----------+------
RSA exponent distribution:
domains | exp
--------+--------------
6845294 | \x010001
12748 | \x0100000001
439 | \x03
47 | \xff39 (65337 typo)
34 | \x40000003
19 | \xffff (65535 seems a poor choice)
--------+--------------
Breakdown by TLD of secure delegations found where the count
exceeds 999, ordered by decreasing numer of domains (the true
number may be higher where authoritative data is not available):
TLD total-DS
------------+---------
nl | 3102220
com | 958181
se | 749808
cz | 595595
br | 501845
eu | 495807
pl | 477670
fr | 400624
no | 387913
be | 155552
net | 132637
hu | 121146
nu | 108395
org | 99918
de | 89299
ch | 62915
info | 39078
app | 37876
uk | 33157
dk | 23270
ovh | 21493
biz | 19718
es | 17665
mx | 16690
hk | 15730
io | 14113
pt | 12307
shop | 11080
me | 9352
online | 7685
us | 7605
xyz | 6669
at | 6436
co | 5725
amsterdam | 5248
frl | 4133
cloud | 4037
kr | 3893
tech | 3725
re | 3681
lv | 3549
fi | 3412
tv | 3318
paris | 2869
ru | 2829
ca | 2828
in | 2801
store | 2720
bank | 2694
nrw | 2468
xn--j6w193g | 2383
is | 2066
email | 1963
club | 1930
world | 1766
art | 1738
immo | 1666
it | 1633
ee | 1580
bzh | 1487
site | 1433
pro | 1426
cc | 1375
space | 1292
au | 1257
agency | 1200
gov | 1162
li | 1126
mobi | 1109
design | 1095
one | 1084
nz | 1046
studio | 1010
------------+---------
DNSKEY lookup success (non-sucess may be bogus, or some non-DNSSEC
error such as lame delegation, ...) rates by TLD with 1000 or more
signed delegations, ordered by decreasing success rate. The leaders
are still Hong Kong (1st and 3rd places) Brazil, Iceland and Mexico
(2nd, 4th and 5th places respectively):
TLD | DNSKEY-ok | total-DS | %working
------------+-----------+----------+-------
xn--j6w193g | 2383 | 2383 | 100.00
br | 501643 | 501845 | 99.96
hk | 15722 | 15730 | 99.95
is | 2062 | 2066 | 99.81
mx | 16656 | 16690 | 99.80
app | 37792 | 37876 | 99.78
art | 1734 | 1738 | 99.77
ovh | 21416 | 21493 | 99.64
immo | 1659 | 1666 | 99.58
bzh | 1479 | 1487 | 99.46
de | 88806 | 89299 | 99.45
paris | 2853 | 2869 | 99.44
studio | 1004 | 1010 | 99.41
nl | 3083430 | 3102220 | 99.39
re | 3658 | 3681 | 99.38
no | 385454 | 387913 | 99.37
fr | 398055 | 400624 | 99.36
hu | 120238 | 121146 | 99.25
agency | 1191 | 1200 | 99.25
pro | 1415 | 1426 | 99.23
cz | 589602 | 595595 | 98.99
ee | 1564 | 1580 | 98.99
ch | 62263 | 62915 | 98.96
eu | 490495 | 495807 | 98.93
tv | 3282 | 3318 | 98.92
be | 153832 | 155552 | 98.89
world | 1746 | 1766 | 98.87
biz | 19474 | 19718 | 98.76
cloud | 3985 | 4037 | 98.71
fi | 3368 | 3412 | 98.71
gov | 1147 | 1162 | 98.71
online | 7582 | 7685 | 98.66
mobi | 1094 | 1109 | 98.65
info | 38542 | 39078 | 98.63
it | 1610 | 1633 | 98.59
pt | 12123 | 12307 | 98.50
tech | 3668 | 3725 | 98.47
org | 98358 | 99918 | 98.44
one | 1067 | 1084 | 98.43
li | 1107 | 1126 | 98.31
io | 13873 | 14113 | 98.30
se | 736929 | 749808 | 98.28
nz | 1028 | 1046 | 98.28
cc | 1351 | 1375 | 98.25
me | 9185 | 9352 | 98.21
bank | 2644 | 2694 | 98.14
net | 130008 | 132637 | 98.02
store | 2666 | 2720 | 98.01
nu | 106117 | 108395 | 97.90
at | 6299 | 6436 | 97.87
kr | 3810 | 3893 | 97.87
us | 7441 | 7605 | 97.84
design | 1071 | 1095 | 97.81
com | 934936 | 958181 | 97.57
amsterdam | 5119 | 5248 | 97.54
dk | 22694 | 23270 | 97.52
club | 1879 | 1930 | 97.36
uk | 32227 | 33157 | 97.20
email | 1907 | 1963 | 97.15
space | 1253 | 1292 | 96.98
pl | 462372 | 477670 | 96.80
es | 17064 | 17665 | 96.60
ca | 2729 | 2828 | 96.50
shop | 10685 | 11080 | 96.44
xyz | 6419 | 6669 | 96.25
co | 5510 | 5725 | 96.24
site | 1368 | 1433 | 95.46
lv | 3381 | 3549 | 95.27
frl | 3922 | 4133 | 94.89
au | 1189 | 1257 | 94.59
in | 2635 | 2801 | 94.07
ru | 2575 | 2829 | 91.02
nrw | 2213 | 2468 | 89.67
------------+-----------+----------+-------
It looks plausible that in .PL most of the vast majority of the
DNSKEY lookup failures are intentional, with ~16k domains that
have .PL DS RRs served sans DNSSEC by "ns[12].blocked.nazwa.pl",
such as:
cmfpjpu.pl IN NS ns1.blocked.nazwa.pl.
cmfpjpu.pl IN NS ns2.blocked.nazwa.pl.
dohhefu.pl IN NS ns1.blocked.nazwa.pl.
dohhefu.pl IN NS ns2.blocked.nazwa.pl.
fotaa927.pl IN NS ns1.blocked.nazwa.pl.
fotaa927.pl IN NS ns2.blocked.nazwa.pl.
ghppiow.pl IN NS ns1.blocked.nazwa.pl.
ghppiow.pl IN NS ns2.blocked.nazwa.pl.
hoovajc.pl IN NS ns1.blocked.nazwa.pl.
hoovajc.pl IN NS ns2.blocked.nazwa.pl.
Regular nazwa.pl domains seem to use "ns[123].nazwa.pl".
Bottom line, the non-successes in the above table are not necessarily
operational failures, they may well be intentional not-in-service
states.
A quick scan of all ~109k non-working domains shows that around
half fail even with validation disabled, so the aggregate problem
rate is at most ~0.5%, but likely much better as prblem domains
domains may be in the process of being decomissioned or are parked,
... and there's no expectation of DNS availabllity.
--
Viktor.
More information about the dns-operations
mailing list