[dns-operations] Update: DNSSEC stats

Viktor Dukhovni ietf-dane at dukhovni.org
Thu May 31 22:35:52 UTC 2018 

With the DANE survey's working DNSKEY RRset count now
at 7,619,511, I am posting another statistics update:

KSK parameters found in >= 1000 zones:

 domains | flags | proto | alg
 --------+-------+-------+-----
    3138 |   257 |     3 |   3
  296582 |   257 |     3 |   5
 2082185 |   257 |     3 |   7
 3668317 |   257 |     3 |   8
   72065 |   257 |     3 |  10
 1436107 |   257 |     3 |  13
   61586 |   257 |     3 |  14

ZSK parameters found in >= 1000 zones:

 domains | flags | proto | alg
 --------+-------+-------+-----
    3138 |   256 |     3 |   3
  137507 |   256 |     3 |   5
 2074937 |   256 |     3 |   7
 3613605 |   256 |     3 |   8
   71940 |   256 |     3 |  10
  759498 |   256 |     3 |  13
   60715 |   256 |     3 |  14

KSK RSA key sizes seen in >= 1000 working zones:

 domains | bits
 --------+------
   65076 | 4096
 4357435 | 2048
  288386 | 1536
    2075 | 1280
 1400711 | 1024
   14627 |  512

ZSK RSA key sizes seen in >= 1000 working zones:

 domains | bits
 --------+------
   12589 | 4096
   83907 | 2048
  292840 | 1280
 5493388 | 1024
   14886 |  512

Finally, I'm including a snapshot by TLD of domains with signed
DS RRs in the parent zone, for which DNSKEY retrieval fails.  Not
always for DNSSEC reasons, the domain may be in the process of
decommissioning, or other non-DNSSEC failure reason.  Only listing
TLDs with 10 or more broken domains.  The totals are what I've found,
not any totals reported by the registries.

tld         | broken |  total ds
------------+--------+----------
se              41703     831083
nu               8713     130528
com              5529     869613
nl               4069    2461539
no               1712     380917
bank             1321       2936
eu               1043     447164
net               671     123253
org               378      91645
uk                365      30706
cz                264     588974
be                239     143210
pl                200     211146
hu                183     105600
info              152      36113
dk                116      22607
ch                101      34865
de                 95      78282
xyz                80       6547
ru                 77       1918
lv                 55       3161
biz                45      18671
br                 45     402273
io                 43       8768
us                 41       6089
frl                39       3624
amsterdam          37       4082
es                 36      13175
at                 33       5471
ovh                32      22510
online             30       6336
pt                 30      12200
me                 26       5815
tech               22       3209
bid                21        447
nrw                20       2554
man                19         71
space              19       1066
id                 17        275
shop               17       6447
email              16       1748
club               14       1636
fi                 14       2420
site               14        805
au                 13        923
cloud              13       2632
store              13       2242
ro                 12        797
gov                11       1164
ca                 10       1635

-- 
    Viktor.

More information about the dns-operations mailing list