[dns-operations] Some DNSSEC adoption data points, anyone know of more comprehensive surveys?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed May 2 01:00:37 UTC 2018
> On May 1, 2018, at 7:48 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>
>> Overall I have 1,173,206 .br domain names of which 239,412 or
>> 20.4% return a validated answer (perhaps NODATA) for MX lookups.
>
> Couldn't some domains be using A or AAAA instead of MX ? It's old school but still works.
There are still many such domains, which is why NODATA for MX
is treated correctly by the DANE scanner as an implicit MX
record:
example.com.br. IN MX 0 example.com.br.
If the NODATA reply is signed, processing continues with A, AAAA
and TLSA lookups. If insecure, the domain is skipped, though in
principle this could just be misuse of NSEC3 opt-out, and it could
still have secure address and TLSA records. For now, skipping such
exotic data points is fine.
--
Viktor.
More information about the dns-operations
mailing list