[dns-operations] Some DNSSEC adoption data points, anyone know of more comprehensive surveys?

Rubens Kuhl rubensk at nic.br
Tue May 1 23:48:14 UTC 2018

> On 1 May 2018, at 19:23, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>> On May 1, 2018, at 5:29 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>>> It is interesting that even with the looming GDPR, France is able to
>>> provide 30-day-old data for unrestricted download and .SE provides
>>> fresh data, while others are unable to provide either fresh or stale
>>> data.  There are perhaps contractual constraints with existing
>>> registrants, and/or country-specific laws...
>> Or concerns with WHOIS harvesting.
> If that were my only concern, I'd focus on rate-limiting WHOIS,

Why do you think rate-litmiting WHOIS isn't also done ? At least in .br, it is.

> and still admit reasonable requests for zone file access when
> presented with evidence of a legitimate use-case.  I am guessing
> there are more reasons than just that... :-(

Nope, just that, and the willingness to put registrant interests ahead of possible research interests.

> Overall I have 1,173,206 .br domain names of which 239,412 or
> 20.4% return a validated answer (perhaps NODATA) for MX lookups.

Couldn't some domains be using A or AAAA instead of MX ? It's old school but still works.

> Frederico reports 1,044,645/3,959,979 or 26.3% DNSSEC/TOTAL, so my
> present dataset appears to under-sample the signed domains.  The
> relevant suffixes are mostly:
> 1079739 .com.br
>  21925 .org.br
>  16640 .ba.gov.br <http://ba.gov.br/>

.xx.gov.br <http://xx.gov.br/> are state-level governmental domains, run by a state-level governmental organisation. So each of them might provide you a zone file or not at their discretion, and each of them might DNSSEC-signed or not at their discretion.

>  13413 .blogspot.com.br <http://blogspot.com.br/>

blogspot.com.br <http://blogspot.com.br/> is a domain. Any entry there is a hostname in the domain, and since it's owned by Google Blogger service, unlike to have mail service.

>   9533 .net.br <http://net.br/>

Most of .com.br <http://com.br/>, .org.br <http://org.br/> and .net.br <http://net.br/> domains that also happen to have mail service appear at Cisco Umbrella's 1M list, more than at Alexa's 1M list that looks more browser oriented.

>   3663 .adv.br
>   3063 .ind.br
>   1544 .art.br
>   1449 .inf.br
>   1409 .edu.br
>   1188 .eng.br
>   1162 .br

Have you tried DNSSECWalk with those smaller zones  ? I remember com/org/net .br being the ones with NSEC3 and the others having NSEC, but I couldn't confirm it now.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180501/7904655c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180501/7904655c/attachment.sig>

More information about the dns-operations mailing list