[dns-operations] Some DNSSEC adoption data points, anyone know of more comprehensive surveys?

Rubens Kuhl rubensk at nic.br
Tue May 1 18:55:18 UTC 2018


The gaps likely come from TLDs that don't publish zone files, like .br and .de, but publish DNSSEC totals. https://www.internetsociety.org/deploy360/dnssec/statistics/ has a good collection of stats links.

Specifically for .br, there were 1.042.556 signed domains in the zone yesterday. 99.97% responded correctly to DNSSEC queries in the last few days, probably because most of them use registry-operated authoritative servers (*.sec.dns.br, *.auto.dns.br).

Google Transparency Report (https://transparencyreport.google.com/safer-email/overview , https://storage.googleapis.com/transparencyreport/google-safer-email.zip) has a 64322 lines spreadsheet of domains listing their encryption share that might be worth looking into.


Rubens




> On 30 Apr 2018, at 02:23, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> I was looking around for DNSSEC-adoption statistics that might be more comprehensive than what I've gathered as a side-effect of the DANE-adoption survey, but so far I am just finding significantly smaller numbers, so I decided to post some numbers below.  If anyone is aware of broader surveys that reach higher totals, I'd like to know where my gap lies.
> 
>  Total secure delegations from public-suffix domains:  5,906,891
> 
> The top 10 suffixes with DNSSEC-delegated subdomains are:
> 
>  1417555 .nl
>   892186 .se         -- based on full zone access
>   874038 .com        -- based on full zone access
>   420095 .fr	      -- based on 30-day old opendata.fr name list
>   340503 .no
>   304801 .cz
>   301306 .eu
>   230590 .com.br
>   150053 .nu         -- based on full zone access
>   131356 .be
> 
> Many of the domains are likely parked, so lookup failure may not matter, in
> any case ~2.0% don't return validated DNSKEY RRsets:
> 
>  Delegations where the DNSKEY RRset validates:         5,787,259
> 
> Of domains with a valid DNSKEY RRset MX lookups very rarely fail
> to return either a non-empty signed RRset or working denial of
> existence:
> 
>  Secure MX RRsets at delegated zone apex:              5,786,858
> 
> With just 401 (0.007%) MX lookup failures for domains with a working
> DNSKEY RRset.
> 
> An additional 158,170 child domains of public suffixes have valid DNSSEC-signed MX records by virtue of being served out of the parent zone rather than delegated.  This makes DANE for SMTP possible in principle for 5,945,028 domains of which at last scan 205,396 (3.4%) have TLSA records for at least all the primary MX hosts, and only 1409 of those domains fail to have TLSA records for some secondary MX hosts.
> 
> The top 10 public suffixes serving non-delegated domains are:
> 
>  116074 de
>   14362 info
>    9394 at
>    6481 pw
>    2958 in
>    1047 uk
>    1012 ma
>     881 jp
>     862 lk
>     791 mobi
> 
> --
> 	Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180501/e5f5801b/attachment.sig>


More information about the dns-operations mailing list