[dns-operations] Some DNSSEC adoption data points, anyone know of more comprehensive surveys?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed May 2 01:00:37 UTC 2018

> On May 1, 2018, at 7:48 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>> Overall I have 1,173,206 .br domain names of which 239,412 or
>> 20.4% return a validated answer (perhaps NODATA) for MX lookups.
> Couldn't some domains be using A or AAAA instead of MX ? It's old school but still works.

There are still many such domains, which is why NODATA for MX
is treated correctly by the DANE scanner as an implicit MX

	example.com.br. IN MX 0 example.com.br.

If the NODATA reply is signed, processing continues with A, AAAA
and TLSA lookups.  If insecure, the domain is skipped, though in
principle this could just be misuse of NSEC3 opt-out, and it could
still have secure address and TLSA records.  For now, skipping such
exotic data points is fine.


More information about the dns-operations mailing list