[dns-operations] Some DNSSEC adoption data points, anyone know of more comprehensive surveys?
Rubens Kuhl
rubensk at nic.br
Tue May 1 23:48:14 UTC 2018
> On 1 May 2018, at 19:23, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
>
>
>> On May 1, 2018, at 5:29 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>>
>>> It is interesting that even with the looming GDPR, France is able to
>>> provide 30-day-old data for unrestricted download and .SE provides
>>> fresh data, while others are unable to provide either fresh or stale
>>> data. There are perhaps contractual constraints with existing
>>> registrants, and/or country-specific laws...
>>
>> Or concerns with WHOIS harvesting.
>
> If that were my only concern, I'd focus on rate-limiting WHOIS,
Why do you think rate-litmiting WHOIS isn't also done ? At least in .br, it is.
> and still admit reasonable requests for zone file access when
> presented with evidence of a legitimate use-case. I am guessing
> there are more reasons than just that... :-(
>
Nope, just that, and the willingness to put registrant interests ahead of possible research interests.
> Overall I have 1,173,206 .br domain names of which 239,412 or
> 20.4% return a validated answer (perhaps NODATA) for MX lookups.
Couldn't some domains be using A or AAAA instead of MX ? It's old school but still works.
>
> Frederico reports 1,044,645/3,959,979 or 26.3% DNSSEC/TOTAL, so my
> present dataset appears to under-sample the signed domains. The
> relevant suffixes are mostly:
>
> 1079739 .com.br
> 21925 .org.br
> 16640 .ba.gov.br <http://ba.gov.br/>
.xx.gov.br <http://xx.gov.br/> are state-level governmental domains, run by a state-level governmental organisation. So each of them might provide you a zone file or not at their discretion, and each of them might DNSSEC-signed or not at their discretion.
> 13413 .blogspot.com.br <http://blogspot.com.br/>
blogspot.com.br <http://blogspot.com.br/> is a domain. Any entry there is a hostname in the domain, and since it's owned by Google Blogger service, unlike to have mail service.
> 9533 .net.br <http://net.br/>
Most of .com.br <http://com.br/>, .org.br <http://org.br/> and .net.br <http://net.br/> domains that also happen to have mail service appear at Cisco Umbrella's 1M list, more than at Alexa's 1M list that looks more browser oriented.
> 3663 .adv.br
> 3063 .ind.br
> 1544 .art.br
> 1449 .inf.br
> 1409 .edu.br
> 1188 .eng.br
> 1162 .br
Have you tried DNSSECWalk with those smaller zones ? I remember com/org/net .br being the ones with NSEC3 and the others having NSEC, but I couldn't confirm it now.
Rubens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180501/7904655c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180501/7904655c/attachment.sig>
More information about the dns-operations
mailing list