[dns-operations] DNSSEC quality by TLD

Sat May 19 04:29:57 UTC 2018

> On May 17, 2018, at 11:05 AM, Marc Groeneweg <Marc.Groeneweg at sidn.nl> wrote:
> 
> I understand. But there's still a big gap between the numbers you report for .nl, and the actual numbers seen at our registry for .nl. As stated, from the 5.810.123 .nl domains, 3.027.173 domains are signed. From the statistics run today with our DNSSEC validation monitor, 2675 domains do not have a signed delegation and 3618 don't have a NSEC3 signed nxdomain answer.

Because my queries go through an intermediate resolver I cannot easily distinguish between DNSSEC failures (no matching DNSKEY, expired RRSIGs, ...) and ordinary DNS failures (lame delegation, ...).  I presently see 6,646 domains for which DS RR lookups succeed, but DNSKEY lookups ServFail for some reason.

Rescanning the same domains 2 days later I see 116 domains that have been retired (NXDOmain), 24 that are no longer signed,  43 where DNSKEY lookups now succeed and 6463 still ServFail.

Looking at 20 randomly selected domains, I see just SEP failures:

http://dnsviz.net/d/freewifi.nl/dnssec/
http://dnsviz.net/d/kasperskyantivirus.nl/dnssec/
http://dnsviz.net/d/tooldump.nl/dnssec/
http://dnsviz.net/d/thecountess.nl/dnssec/
http://dnsviz.net/d/employyourbrand.nl/dnssec/
http://dnsviz.net/d/edelsteentjes.nl/dnssec/
http://dnsviz.net/d/gratisfotopapier.nl/dnssec/
http://dnsviz.net/d/roije.nl/dnssec/
http://dnsviz.net/d/bestforbabies.nl/dnssec/
http://dnsviz.net/d/costabravahotel.nl/dnssec/
http://dnsviz.net/d/stropellets.nl/dnssec/
http://dnsviz.net/d/sediq.nl/dnssec/
http://dnsviz.net/d/mijngerecht.nl/dnssec/
http://dnsviz.net/d/b-f-r.nl/dnssec/
http://dnsviz.net/d/flexalighting.nl/dnssec/
http://dnsviz.net/d/mediwietwebwinkel.nl/dnssec/
http://dnsviz.net/d/mariya-p.nl/dnssec/
http://dnsviz.net/d/yoga-coaching.nl/dnssec/
http://dnsviz.net/d/sellzz.nl/dnssec/
http://dnsviz.net/d/raadvalkenburg.nl/dnssec/

-- 
	Viktor.