[dns-operations] DNSSEC quality by TLD
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu May 17 02:31:59 UTC 2018
The current iteration of my database has been collecting DS and DNSKEY
RRs for a growing number of domains since Oct/2017.
I thought it might be interesting for each TLD to look at what fraction
of domains with published DS records under that TLD or lower have been
observed with a valid DNSKEY RRset signature at some point during the
last ~7 months, and what fraction are returning valid DNSKEY RRs at
last check today. Below is that data for TLDs with at least 1000
delegated DS RRs sorted by descending fraction of records valid
now.
Note that some TLDs have many parked domains, where the registrant
has no interest in working DNS for the domain, in which case the
non-working DNSKEY lookups are not a problem. So what we see
below is a combination of operational diligence by the DNS zone
operators and the type of domains registered (active vs. parked):
TLD name DS count OK ever OK now / ever / now
-------- -------- ------- ------ ------ -----
br 283908 283784 283740 0.999563 0.999408
app 21472 21459 21459 0.999395 0.999395 [1]
mx 12976 12961 12960 0.998844 0.998767
ovh 22537 22519 22487 0.999201 0.997781
re 2612 2608 2604 0.998469 0.996937
pl 150526 150146 150012 0.997476 0.996585
art 1428 1425 1423 0.997899 0.996499
immo 1646 1640 1640 0.996355 0.996355
hk 2087 2079 2079 0.996167 0.996167
nl 1465107 1462259 1458225 0.998056 0.995303
bzh 1469 1463 1462 0.995916 0.995235
shop 6355 6336 6324 0.997010 0.995122
paris 2864 2849 2848 0.994763 0.994413
de 58323 58063 57978 0.995542 0.994085
world 1665 1658 1655 0.995796 0.993994
hu 103900 103388 103255 0.995072 0.993792
ee 1187 1180 1179 0.994103 0.993260
no 340122 339254 337734 0.997448 0.992979
eu 314982 313577 312477 0.995539 0.992047
cz 360438 357434 357208 0.991666 0.991039
be 131005 129978 129668 0.992161 0.989794
tv 1760 1747 1742 0.992614 0.989773
fi 2447 2425 2419 0.991009 0.988557
cloud 2570 2551 2539 0.992607 0.987938
biz 18851 18659 18616 0.989815 0.987534
ch 32336 32043 31899 0.990939 0.986486
online 6321 6258 6234 0.990033 0.986236
info 36512 36132 35983 0.989592 0.985512
tech 3218 3191 3171 0.991610 0.985395
org 92415 91307 90965 0.988011 0.984310
gov 1174 1166 1155 0.993186 0.983816
pt 12495 12323 12288 0.986234 0.983433
store 2257 2226 2219 0.986265 0.983163
fr 426501 419732 419298 0.984129 0.983111
me 5842 5761 5740 0.986135 0.982540
space 1063 1048 1041 0.985889 0.979304
net 125032 122968 122336 0.983492 0.978438
us 5944 5845 5807 0.983345 0.976952
nrw 2598 2554 2536 0.983064 0.976135
com 882957 866044 860688 0.980845 0.974779
email 1749 1721 1704 0.983991 0.974271
at 5546 5449 5401 0.982510 0.973855
dk 22249 21826 21643 0.980988 0.972763
io 8934 8705 8675 0.974368 0.971010
club 1649 1613 1601 0.978169 0.970891
amsterdam 4131 4026 3989 0.974582 0.965626
ca 1619 1566 1559 0.967264 0.962940
uk 31259 30247 30067 0.967625 0.961867
xyz 6984 6770 6697 0.969359 0.958906
lv 3259 3163 3120 0.970543 0.957349
co 4538 4357 4343 0.960115 0.957030
frl 3776 3605 3566 0.954714 0.944386
se 883923 878640 831936 0.994023 0.941186
es 13728 12939 12899 0.942526 0.939612
nu 142944 142179 132972 0.994648 0.930238
in 1891 1778 1754 0.940243 0.927552
ru 1904 1752 1666 0.920168 0.875000
bank 2954 2936 1604 0.993907 0.542993
--
Viktor.
[1] Of course domains in TLDs like .app, which only opened for
registration in the last few days, have not yet had much chance
to exhibit poor key mgmt.
More information about the dns-operations
mailing list