[dns-operations] September 2018 DNSSEC stats
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun Sep 30 00:21:35 UTC 2018
[ With credit due to Paul Vixie of Farsight Security for supporting
this survey with ongoing data snapshots that help to significantly
improve the survey's coverage. Also of course ICANN for the gTLD
data via CZDS and data contributions from the TLD registries for
.CH, .COM, .DK, .INFO, .NAME, .LI, .NL and .ORG and open access
for .FR, .NU and .SE. More data sources of ccTLD signed delegations
welcome. ]
The September 2018 numbers from the DANE/DNSSEC survey are:
Total DS RRsets: 8,913,611
Validatable apex DNSKEY RRsets: 8,766,973
DNSKEY parameter frequency (1000 or more instances), by zone count:
kskalgs | flags | proto | alg
--------+-------+-------+-----
4780 | 257 | 3 | 3
358979 | 257 | 3 | 5
2210428 | 257 | 3 | 7
4198328 | 257 | 3 | 8
87469 | 257 | 3 | 10
1844138 | 257 | 3 | 13
62481 | 257 | 3 | 14
--------+-------+-------+-----
zskalgs | flags | proto | alg
--------+-------+-------+-----
4780 | 256 | 3 | 3
132748 | 256 | 3 | 5
2192269 | 256 | 3 | 7
4142767 | 256 | 3 | 8
87250 | 256 | 3 | 10
791434 | 256 | 3 | 13
61548 | 256 | 3 | 14
--------+-------+-------+-----
RSA key size distribution (1000 or more instances), by zone count:
kskdomains | bits
------------+------
67580 | 4096
5149822 | 2048
302182 | 1536
2992 | 1280
1333428 | 1024
8392 | 512
------------+------
zskdomains | bits
-----------+------
13287 | 4096
110595 | 2048
306770 | 1280
6115735 | 1024
8169 | 512
-----------+------
RSA exponent distribution:
domains | exp
---------+--------------
6921394 | \x010001
13045 | \x0100000001
439 | \x03
50 | \xff39 (65337 typo)
34 | \x40000003
20 | \xffff (65535 seems a poor choice)
---------+--------------
Breakdown by TLD of secure delegations found where the count
exceeds 999, ordered by decreasing numer of domains (the true
number may be higher where authoritative data is not available):
TLD total-DS
------------+---------
nl | 3089053
com | 935031
se | 820517
cz | 597581
br | 507585
eu | 503421
pl | 472005
fr | 411671
no | 377745
be | 145816
net | 130158
nu | 129791
hu | 119016
org | 97683
de | 85798
ch | 48458
info | 38025
app | 35246
uk | 32578
dk | 23273
ovh | 22479
biz | 19442
mx | 16697
es | 16273
hk | 14097
io | 13543
pt | 12623
me | 9075
shop | 7100
xyz | 7044
us | 6958
online | 6668
at | 5893
co | 5369
amsterdam | 4817
frl | 3992
re | 3668
kr | 3658
lv | 3575
tech | 3543
cloud | 3252
fi | 3122
tv | 3047
paris | 2878
bank | 2720
nrw | 2506
ru | 2489
in | 2460
store | 2413
ca | 2234
xn--j6w193g | 1897
club | 1887
email | 1870
immo | 1784
art | 1631
world | 1606
bzh | 1500
ee | 1476
is | 1306
site | 1250
space | 1239
au | 1212
gov | 1156
cc | 1144
pro | 1101
agency | 1089
mobi | 1088
design | 1029
------------+---------
DNSKEY lookup failure rates (whether bogus, or just lame
delegation, ...) by TLD with 1000 or more signed delegations,
ordered by increasing failure rate:
TLD | failed-DS | total-DS | %fail
------------+-----------+----------+-------
xn--j6w193g | 0 | 1897 | .00
br | 220 | 507585 | .04
hk | 8 | 14097 | .06
app | 60 | 35246 | .17
mx | 34 | 16697 | .20
art | 4 | 1631 | .25
re | 10 | 3668 | .27
immo | 5 | 1784 | .28
ovh | 75 | 22479 | .33
bzh | 8 | 1500 | .53
is | 7 | 1306 | .54
world | 9 | 1606 | .56
paris | 17 | 2878 | .59
no | 2275 | 377745 | .60
de | 525 | 85798 | .61
nl | 19600 | 3089053 | .63
shop | 46 | 7100 | .65
hu | 902 | 119016 | .76
fr | 3126 | 411671 | .76
agency | 9 | 1089 | .83
ee | 13 | 1476 | .88
cz | 6357 | 597581 | 1.06
be | 1553 | 145816 | 1.07
eu | 5463 | 503421 | 1.09
fi | 35 | 3122 | 1.12
ch | 560 | 48458 | 1.16
pro | 13 | 1101 | 1.18
tv | 36 | 3047 | 1.18
biz | 243 | 19442 | 1.25
tech | 48 | 3543 | 1.35
cloud | 45 | 3252 | 1.38
mobi | 16 | 1088 | 1.47
gov | 17 | 1156 | 1.47
info | 576 | 38025 | 1.51
pt | 199 | 12623 | 1.58
org | 1564 | 97683 | 1.60
online | 121 | 6668 | 1.81
kr | 69 | 3658 | 1.89
io | 258 | 13543 | 1.91
me | 176 | 9075 | 1.94
net | 2593 | 130158 | 1.99
cc | 23 | 1144 | 2.01
pl | 10162 | 472005 | 2.15
us | 153 | 6958 | 2.20
dk | 523 | 23273 | 2.25
at | 140 | 5893 | 2.38
com | 22883 | 935031 | 2.45
club | 48 | 1887 | 2.54
store | 62 | 2413 | 2.57
design | 28 | 1029 | 2.72
amsterdam | 139 | 4817 | 2.89
email | 56 | 1870 | 2.99
uk | 990 | 32578 | 3.04
space | 40 | 1239 | 3.23
ca | 74 | 2234 | 3.31
es | 567 | 16273 | 3.48
xyz | 259 | 7044 | 3.68
co | 218 | 5369 | 4.06
lv | 170 | 3575 | 4.76
frl | 211 | 3992 | 5.29
se | 46500 | 820517 | 5.67
au | 75 | 1212 | 6.19
in | 164 | 2460 | 6.67
site | 85 | 1250 | 6.80
nu | 9614 | 129791 | 7.41
ru | 240 | 2489 | 9.64
nrw | 289 | 2506 | 11.53
bank | 1142 | 2720 | 41.99
------------+-----------+----------+-------
--
Viktor.
More information about the dns-operations
mailing list