[dns-operations] October 2018 DNSSEC stats
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Oct 31 04:44:34 UTC 2018
[ With credit due to Paul Vixie of Farsight Security for supporting
this survey with ongoing data snapshots that help to significantly
improve the survey's coverage. Also of course ICANN for the gTLD
data via CZDS and data contributions from the TLD registries for
.CH, .COM, .DK, .INFO, .NAME, .LI, .NL and .ORG and open access
for .FR, .NU and .SE. More data sources of ccTLD signed delegations
welcome.
The major change this month is that .SE and .NU appear to have
removed many previously non-resolving domains, so while their
total DS RRset counts declined somewhat, this is actually an
improvement, and their DNSKEY lookup failure rates are now
much ore in line with other TLDs.
Another notable change this month, is a dramatic reduction of
the failure rate for .bank domains down from around 40% to now
just under 2%. ]
The october 2018 numbers from the DANE/DNSSEC survey are:
Total DS RRsets: 8,892,722
Validatable apex DNSKEY RRsets: 8,784,047
DNSKEY parameter frequency (1000 or more instances), by zone count:
kskalgs | flags | proto | alg
--------+-------+-------+-----
4799 | 257 | 3 | 3
358866 | 257 | 3 | 5
2181383 | 257 | 3 | 7
4214909 | 257 | 3 | 8
99379 | 257 | 3 | 10
1862117 | 257 | 3 | 13
62103 | 257 | 3 | 14
--------+-------+-------+-----
zskalgs | flags | proto | alg
--------+-------+-------+-----
4799 | 256 | 3 | 3
131576 | 256 | 3 | 5
2169533 | 256 | 3 | 7
4152920 | 256 | 3 | 8
97623 | 256 | 3 | 10
802835 | 256 | 3 | 13
61173 | 256 | 3 | 14
--------+-------+-------+-----
RSA key size distribution (1000 or more instances), by zone count:
kskdomains | bits
-----------+------
67664 | 4096
5180564 | 2048
300945 | 1536
3099 | 1280
1302697 | 1024
8186 | 512
-----------+------
zskdomains | bits
-----------+------
13494 | 4096
112066 | 2048
305604 | 1280
6112043 | 1024
7997 | 512
-----------+------
RSA exponent distribution:
domains | exp
--------+--------------
6843702 | \x010001
12976 | \x0100000001
439 | \x03
47 | \xff39 (65337 typo)
34 | \x40000003
20 | \xffff (65535 seems a poor choice)
--------+--------------
Breakdown by TLD of secure delegations found where the count
exceeds 999, ordered by decreasing numer of domains (the true
number may be higher where authoritative data is not available):
TLD total-DS
------------+---------
nl | 3094014
com | 936763
se | 774118
cz | 596390
br | 509218
eu | 500128
pl | 474990
fr | 402490
no | 381396
be | 151785
net | 129681
nu | 123192
hu | 120595
org | 97152
de | 87601
ch | 58441
info | 37590
app | 36439
uk | 32743
dk | 23185
ovh | 21635
biz | 19602
es | 16859
mx | 16727
hk | 14907
io | 13874
pt | 12535
shop | 10105
me | 9224
us | 7256
xyz | 6772
online | 6742
at | 6093
co | 5562
amsterdam | 5199
frl | 4096
kr | 3936
re | 3677
tech | 3601
lv | 3596
cloud | 3592
fi | 3335
tv | 3227
paris | 2782
bank | 2722
ru | 2616
ca | 2581
in | 2576
nrw | 2506
store | 2362
xn--j6w193g | 2094
email | 1918
club | 1898
immo | 1769
art | 1673
world | 1661
ee | 1542
is | 1514
bzh | 1466
site | 1317
cc | 1291
pro | 1249
space | 1245
au | 1230
gov | 1164
agency | 1146
mobi | 1082
design | 1067
li | 1036
one | 1035
nz | 1005
------------+---------
DNSKEY lookup failure rates (whether bogus, or just lame
delegation, ...) by TLD with 1000 or more signed delegations,
ordered by increasing failure rate. The winners for least
DNS-breakage are still Hong Kong (1st and 3rd place) and
Brazil (2n place):
TLD | failed-DS | total-DS | %fail
------------+-----------+----------+-------
xn--j6w193g | 0 | 2094 | .00
br | 196 | 509218 | .04
hk | 7 | 14907 | .05
is | 2 | 1514 | .13
app | 74 | 36439 | .20
mx | 34 | 16727 | .20
immo | 5 | 1769 | .28
art | 5 | 1673 | .30
ovh | 72 | 21635 | .33
re | 13 | 3677 | .35
bzh | 8 | 1466 | .55
de | 491 | 87601 | .56
paris | 17 | 2782 | .61
nl | 19722 | 3094014 | .64
no | 2462 | 381396 | .65
hu | 892 | 120595 | .74
fr | 3028 | 402490 | .75
world | 13 | 1661 | .78
agency | 9 | 1146 | .79
pro | 12 | 1249 | .96
ch | 574 | 58441 | .98
fi | 33 | 3335 | .99
cz | 6064 | 596390 | 1.02
ee | 16 | 1542 | 1.04
eu | 5301 | 500128 | 1.06
be | 1686 | 151785 | 1.11
gov | 13 | 1164 | 1.12
tv | 38 | 3227 | 1.18
biz | 249 | 19602 | 1.27
one | 14 | 1035 | 1.35
info | 509 | 37590 | 1.35
cloud | 49 | 3592 | 1.36
mobi | 15 | 1082 | 1.39
tech | 51 | 3601 | 1.42
pt | 183 | 12535 | 1.46
org | 1493 | 97152 | 1.54
online | 105 | 6742 | 1.56
shop | 162 | 10105 | 1.60
se | 12695 | 774118 | 1.64
li | 17 | 1036 | 1.64
io | 242 | 13874 | 1.74
me | 163 | 9224 | 1.77
kr | 70 | 3936 | 1.78
cc | 24 | 1291 | 1.86
store | 44 | 2362 | 1.86
nz | 19 | 1005 | 1.89
net | 2550 | 129681 | 1.97
bank | 54 | 2722 | 1.98
nu | 2495 | 123192 | 2.03
us | 158 | 7256 | 2.18
dk | 518 | 23185 | 2.23
at | 141 | 6093 | 2.31
design | 25 | 1067 | 2.34
com | 22694 | 936763 | 2.42
pl | 11694 | 474990 | 2.46
amsterdam | 134 | 5199 | 2.58
club | 49 | 1898 | 2.58
space | 34 | 1245 | 2.73
uk | 966 | 32743 | 2.95
email | 61 | 1918 | 3.18
ca | 83 | 2581 | 3.22
xyz | 236 | 6772 | 3.48
es | 591 | 16859 | 3.51
co | 212 | 5562 | 3.81
lv | 165 | 3596 | 4.59
site | 61 | 1317 | 4.63
frl | 213 | 4096 | 5.20
au | 70 | 1230 | 5.69
in | 163 | 2576 | 6.33
ru | 247 | 2616 | 9.44
nrw | 291 | 2506 | 11.61
------------+-----------+----------+-------
--
Viktor.
More information about the dns-operations
mailing list