[dns-operations] Some DNSSEC adoption data points, anyone know of more comprehensive surveys?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed May 2 01:00:37 UTC 2018



> On May 1, 2018, at 7:48 PM, Rubens Kuhl <rubensk at nic.br> wrote:
> 
>> Overall I have 1,173,206 .br domain names of which 239,412 or
>> 20.4% return a validated answer (perhaps NODATA) for MX lookups.
> 
> Couldn't some domains be using A or AAAA instead of MX ? It's old school but still works.

There are still many such domains, which is why NODATA for MX
is treated correctly by the DANE scanner as an implicit MX
record:

	example.com.br. IN MX 0 example.com.br.

If the NODATA reply is signed, processing continues with A, AAAA
and TLSA lookups.  If insecure, the domain is skipped, though in
principle this could just be misuse of NSEC3 opt-out, and it could
still have secure address and TLSA records.  For now, skipping such
exotic data points is fine.

-- 
	Viktor.





More information about the dns-operations mailing list