[dns-operations] November 2018 DNSSEC stats

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Dec 1 04:21:41 UTC 2018


[ With credit due to Paul Vixie of Farsight Security for supporting
  this survey with ongoing data snapshots that help to significantly
  improve the survey's coverage.  Also of course ICANN for the gTLD
  data via CZDS and data contributions from the TLD registries for
  .CH, .COM, .DK, .INFO, .IS, .NAME, .LI, .NL and .ORG and open access
  for .FR, .NU and .SE.  More data sources of ccTLD signed delegations
  welcome.

  With help with Wes Hardaker, the data in this report are updated
  daily at <http://stats.dnssec-tools.org/> (work-in-progress, but
  fairly complete). ]
  
The November 2018 numbers from the DANE/DNSSEC survey are:

Total DS RRsets:                8,909,096
Validatable apex DNSKEY RRsets: 8,799,197

DNSKEY parameter frequency (1000 or more instances), by zone count:

 kskalgs | flags | proto | alg
 --------+-------+-------+-----
    4742 |   257 |     3 |   3
  327338 |   257 |     3 |   5
 2193175 |   257 |     3 |   7
 4199903 |   257 |     3 |   8
  136019 |   257 |     3 |  10
 1875826 |   257 |     3 |  13
   61906 |   257 |     3 |  14
 --------+-------+-------+-----

 zskalgs | flags | proto | alg
 --------+-------+-------+-----
    4742 |   256 |     3 |   3
   98358 |   256 |     3 |   5
 2179912 |   256 |     3 |   7
 4135487 |   256 |     3 |   8
  135798 |   256 |     3 |  10
  814230 |   256 |     3 |  13
   60980 |   256 |     3 |  14
 --------+-------+-------+-----

RSA key size distribution (1000 or more instances), by zone count:

 kskdomains | bits
 -----------+------
      68239 | 4096
    5169843 | 2048
     305744 | 1536
       3188 | 1280
    1308866 | 1024
       8055 |  512
 -----------+------

 zskdomains | bits
 -----------+------
      13750 | 4096  
     114635 | 2048
     310476 | 1280
    6101754 | 1024
       7857 |  512
 -----------+------

RSA exponent distribution:

 domains |     exp
 --------+--------------
 6845294 | \x010001
   12748 | \x0100000001
     439 | \x03
      47 | \xff39	   (65337 typo)
      34 | \x40000003
      19 | \xffff          (65535 seems a poor choice)
 --------+--------------

Breakdown by TLD of secure delegations found where the count
exceeds 999, ordered by decreasing numer of domains (the true
number may be higher where authoritative data is not available):

 TLD           total-DS
 ------------+---------
 nl          |  3102220
 com         |   958181
 se          |   749808
 cz          |   595595
 br          |   501845
 eu          |   495807
 pl          |   477670
 fr          |   400624
 no          |   387913
 be          |   155552
 net         |   132637
 hu          |   121146
 nu          |   108395
 org         |    99918
 de          |    89299
 ch          |    62915
 info        |    39078
 app         |    37876
 uk          |    33157
 dk          |    23270
 ovh         |    21493
 biz         |    19718
 es          |    17665
 mx          |    16690
 hk          |    15730
 io          |    14113
 pt          |    12307
 shop        |    11080
 me          |     9352
 online      |     7685
 us          |     7605
 xyz         |     6669
 at          |     6436
 co          |     5725
 amsterdam   |     5248
 frl         |     4133
 cloud       |     4037
 kr          |     3893
 tech        |     3725
 re          |     3681
 lv          |     3549
 fi          |     3412
 tv          |     3318
 paris       |     2869
 ru          |     2829
 ca          |     2828
 in          |     2801
 store       |     2720
 bank        |     2694
 nrw         |     2468
 xn--j6w193g |     2383
 is          |     2066
 email       |     1963
 club        |     1930
 world       |     1766
 art         |     1738
 immo        |     1666
 it          |     1633
 ee          |     1580
 bzh         |     1487
 site        |     1433
 pro         |     1426
 cc          |     1375
 space       |     1292
 au          |     1257
 agency      |     1200
 gov         |     1162
 li          |     1126
 mobi        |     1109
 design      |     1095
 one         |     1084
 nz          |     1046
 studio      |     1010
 ------------+---------

DNSKEY lookup success (non-sucess may be bogus, or some non-DNSSEC
error such as lame delegation, ...) rates by TLD with 1000 or more
signed delegations, ordered by decreasing success rate.  The leaders
are still Hong Kong (1st and 3rd places) Brazil, Iceland and Mexico
(2nd, 4th and 5th places respectively):

     TLD     | DNSKEY-ok | total-DS | %working 
 ------------+-----------+----------+-------
 xn--j6w193g |      2383 |     2383 | 100.00 
 br          |    501643 |   501845 | 99.96 
 hk          |     15722 |    15730 | 99.95 
 is          |      2062 |     2066 | 99.81 
 mx          |     16656 |    16690 | 99.80 
 app         |     37792 |    37876 | 99.78 
 art         |      1734 |     1738 | 99.77 
 ovh         |     21416 |    21493 | 99.64 
 immo        |      1659 |     1666 | 99.58 
 bzh         |      1479 |     1487 | 99.46 
 de          |     88806 |    89299 | 99.45 
 paris       |      2853 |     2869 | 99.44 
 studio      |      1004 |     1010 | 99.41 
 nl          |   3083430 |  3102220 | 99.39 
 re          |      3658 |     3681 | 99.38 
 no          |    385454 |   387913 | 99.37 
 fr          |    398055 |   400624 | 99.36 
 hu          |    120238 |   121146 | 99.25 
 agency      |      1191 |     1200 | 99.25 
 pro         |      1415 |     1426 | 99.23 
 cz          |    589602 |   595595 | 98.99 
 ee          |      1564 |     1580 | 98.99 
 ch          |     62263 |    62915 | 98.96 
 eu          |    490495 |   495807 | 98.93 
 tv          |      3282 |     3318 | 98.92 
 be          |    153832 |   155552 | 98.89 
 world       |      1746 |     1766 | 98.87 
 biz         |     19474 |    19718 | 98.76 
 cloud       |      3985 |     4037 | 98.71 
 fi          |      3368 |     3412 | 98.71 
 gov         |      1147 |     1162 | 98.71 
 online      |      7582 |     7685 | 98.66 
 mobi        |      1094 |     1109 | 98.65 
 info        |     38542 |    39078 | 98.63 
 it          |      1610 |     1633 | 98.59 
 pt          |     12123 |    12307 | 98.50 
 tech        |      3668 |     3725 | 98.47 
 org         |     98358 |    99918 | 98.44 
 one         |      1067 |     1084 | 98.43 
 li          |      1107 |     1126 | 98.31 
 io          |     13873 |    14113 | 98.30 
 se          |    736929 |   749808 | 98.28 
 nz          |      1028 |     1046 | 98.28 
 cc          |      1351 |     1375 | 98.25 
 me          |      9185 |     9352 | 98.21 
 bank        |      2644 |     2694 | 98.14 
 net         |    130008 |   132637 | 98.02 
 store       |      2666 |     2720 | 98.01 
 nu          |    106117 |   108395 | 97.90 
 at          |      6299 |     6436 | 97.87 
 kr          |      3810 |     3893 | 97.87 
 us          |      7441 |     7605 | 97.84 
 design      |      1071 |     1095 | 97.81 
 com         |    934936 |   958181 | 97.57 
 amsterdam   |      5119 |     5248 | 97.54 
 dk          |     22694 |    23270 | 97.52 
 club        |      1879 |     1930 | 97.36 
 uk          |     32227 |    33157 | 97.20 
 email       |      1907 |     1963 | 97.15 
 space       |      1253 |     1292 | 96.98 
 pl          |    462372 |   477670 | 96.80 
 es          |     17064 |    17665 | 96.60 
 ca          |      2729 |     2828 | 96.50 
 shop        |     10685 |    11080 | 96.44 
 xyz         |      6419 |     6669 | 96.25 
 co          |      5510 |     5725 | 96.24 
 site        |      1368 |     1433 | 95.46 
 lv          |      3381 |     3549 | 95.27 
 frl         |      3922 |     4133 | 94.89 
 au          |      1189 |     1257 | 94.59 
 in          |      2635 |     2801 | 94.07 
 ru          |      2575 |     2829 | 91.02 
 nrw         |      2213 |     2468 | 89.67 
 ------------+-----------+----------+-------

It looks plausible that in .PL most of the vast majority of the
DNSKEY lookup failures are intentional, with ~16k domains that
have .PL DS RRs served sans DNSSEC by "ns[12].blocked.nazwa.pl",
such as:

    cmfpjpu.pl IN NS ns1.blocked.nazwa.pl.
    cmfpjpu.pl IN NS ns2.blocked.nazwa.pl.
    dohhefu.pl IN NS ns1.blocked.nazwa.pl.
    dohhefu.pl IN NS ns2.blocked.nazwa.pl.
    fotaa927.pl IN NS ns1.blocked.nazwa.pl.
    fotaa927.pl IN NS ns2.blocked.nazwa.pl.
    ghppiow.pl IN NS ns1.blocked.nazwa.pl.
    ghppiow.pl IN NS ns2.blocked.nazwa.pl.
    hoovajc.pl IN NS ns1.blocked.nazwa.pl.
    hoovajc.pl IN NS ns2.blocked.nazwa.pl.

Regular nazwa.pl domains seem to use "ns[123].nazwa.pl".

Bottom line, the non-successes in the above table are not necessarily
operational failures, they may well be intentional not-in-service
states.

A quick scan of all ~109k non-working domains shows that around
half fail even with validation disabled, so the aggregate problem
rate is at most ~0.5%, but likely much better as prblem domains
domains may be in the process of being decomissioned or are parked,
... and there's no expectation of DNS availabllity.

-- 
	Viktor.


More information about the dns-operations mailing list