[dns-operations] Some DNSSEC adoption data points, anyone know of more comprehensive surveys?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed May 2 05:25:04 UTC 2018 


> On May 1, 2018, at 4:54 PM, Ray Bellis <ray at isc.org> wrote:
> 
> Have you looked at Bert Hubert's HyperLogLog method for estimating the
> number of signed delegations in a zone by performing statistics on the
> distribution of the NSEC3 hashes?
> 
> <https://indico.dns-oarc.net/event/26/contributions/437/attachments/395/671/hyperloglog_1.pdf>

Ah yes, "The German tank problem", I'd seen this a while back and forgot
all about it.  The most recent numbers reported at:

  https://powerdns.org/dnssec-stats/

are from 2017/02/03, estimating 7,375,455 domains, which is much better
than what I've seen elsewhere.  A comparison of that report with my
actual (but often incomplete) counts gives me a clear sense of where
the gaps lie.  Note my numbers only include domains where the DNSKEY
RRset validates, excluding delegates where DNSSEC fails). The top 25
suffixes comparison is:

  suffix   bert's #  my number  complete zone?
  ------   --------  ---------  --------------

      nl    2618262    1409210  
     com     588136     853800  Y
      se     607290     840042  Y
      fr     337751     412562  Y 30-day delayed
      no     431968     337863
      cz     638970     301238
      eu     365356     297904
  com.br     771183     229670
      nu      84151     139901  Y
      be     132395     130034
     net     113548     121870  Y
      hu     111436      99489
     org      74039      90460  Y
      pl      32193      75955
      de      62775      49045
    info      28651      35915
      ch      16764      31964
     ovh      21505      22555  Y
      dk      22422      21672
     biz       2125      18474
      pt      15334      11697
      es       7200      11614
      io       7502       7436
   co.uk      17909       7339
     xyz       8548       6671  Y

So, at the moment, the largest obvious coverage gaps are .NL,
.COM.BR, .CZ and .NO.  It'd be nice to compare against any more
recent data Bert has collected...

Brazil is clearly my weak spot, if some slightly used, second-hand,
reasonably comprehensive list of .BR domains fell into my lap, I'd
be grateful.  I seem to be getting much better fractional coverage
for the other domains with substantial DNSSEC deployments.

DNSSEC adoption under .biz seems to have increased 9-fold or more,
or selse the NSEC estimates from a year ago were particularly
skewed by the non-uniformity of NSEC distributions.

-- 
	Viktor.

More information about the dns-operations mailing list