[dns-operations] DNSSEC quality by TLD
Frederico A C Neves
fneves at registro.br
Thu May 17 17:01:32 UTC 2018
On Thu, May 17, 2018 at 11:37:14AM -0400, Viktor Dukhovni wrote:
> > On May 17, 2018, at 11:05 AM, Marc Groeneweg <Marc.Groeneweg at sidn.nl> wrote:
> > I understand. But there's still a big gap between the numbers you report for .nl, and the actual numbers seen at our registry for .nl. As stated, from the 5.810.123 .nl domains, 3.027.173 domains are signed. From the statistics run today with our DNSSEC validation monitor, 2675 domains do not have a signed delegation and 3618 don't have a NSEC3 signed nxdomain answer.
> Of course, but I can only report on the data I have. I am not claiming
> I have all the data. As I acquire more data, my numbers get better.
> The biggest "gap", for which I've not yet found a source to substantially
> improve coverage is ".br" (coincidentally the TLD with the best record
> of working DNSSEC, once we exclude those with fewer than 1000 DS RRsets,
> where often 100% of the handful of signed domains are OK).
> There are (according to recent .BR statistics) 1,044,645/3,959,979 signed/total
> domains under .com.br et. al., but I've only found 283,908/1,589,657. What's
> interesting here is my observed 17.8% signed delegations is much lower than
> the reported 26.3% overall percentage. So my sample is noticeably biased away
> from the signed domains. Of the domains I've not found 32% are signed. Perhaps
> there's a large pool of signed parked domains that don't show up in any of my
This explanation is correct.
> I'm getting much better coverage with the other zones with many signed domains.
More information about the dns-operations