[dns-operations] DNSSEC quality by TLD

Viktor Dukhovni ietf-dane at dukhovni.org
Thu May 17 15:37:14 UTC 2018

> On May 17, 2018, at 11:05 AM, Marc Groeneweg <Marc.Groeneweg at sidn.nl> wrote:
> I understand. But there's still a big gap between the numbers you report for .nl, and the actual numbers seen at our registry for .nl. As stated, from the 5.810.123 .nl domains, 3.027.173 domains are signed. From the statistics run today with our DNSSEC validation monitor, 2675 domains do not have a signed delegation and 3618 don't have a NSEC3 signed nxdomain answer.

Of course, but I can only report on the data I have.  I am not claiming
I have all the data.  As I acquire more data, my numbers get better.

The biggest "gap", for which I've not yet found a source to substantially
improve coverage is ".br" (coincidentally the TLD with the best record
of working DNSSEC, once we exclude those with fewer than 1000 DS RRsets,
where often 100% of the handful of signed domains are OK).

There are (according to recent .BR statistics) 1,044,645/3,959,979 signed/total
domains under .com.br et. al., but I've only found 283,908/1,589,657.  What's
interesting here is my observed 17.8% signed delegations is much lower than
the reported 26.3% overall percentage.  So my sample is noticeably biased away
from the signed domains.  Of the domains I've not found 32% are signed.  Perhaps
there's a large pool of signed parked domains that don't show up in any of my

I'm getting much better coverage with the other zones with many signed domains.


More information about the dns-operations mailing list