[dns-operations] January 2019 DNSSEC stats
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Jan 31 21:31:45 UTC 2019
[ With credit due to Paul Vixie of Farsight Security for supporting
this survey with ongoing data snapshots that help to significantly
improve the survey's coverage. Also of course ICANN for the gTLD
data via CZDS and data contributions from the TLD registries for
.CH, .COM, .DK, .INFO, .IS, .NAME, .LI, .NL and .ORG and open access
for .FR, .NU and .SE. More data sources of ccTLD signed delegations
welcome.
With help with Wes Hardaker, the data in this report are updated
daily at <http://stats.dnssec-tools.org/>. ]
The January 2019 numbers from the DANE/DNSSEC survey are:
http://stats.dnssec-tools.org/#summary
Total DS RRsets: 9,253,303
Validatable apex DNSKEY RRsets: 9,107,865
The second of these crossed 9 million for the first time today.
The in progress migration mentioned last month is almost, but not
yet done, so I expect another O(100k) bump once the re-signed domains
are back.
The DANE numbers are substantially higher, with DANE TLSA records
present for the MX hosts of ~1.067 million domains:
http://stats.dnssec-tools.org/#graphs
Also for the first time this month, the number of ECDSA P256
(algorithm 13) KSKs has edged ahead of the number of algorithm 7
KSKs.
http://stats.dnssec-tools.org/#parameter
I also want to mention some early signs of DNSSEC adoption by
Google's email servers:
mx{1,2,3,4}.smtp.goog
though these were already signed back in late September 2018, I
only recently noticed that these are alternative names for the usual
relays handling Gmail and corporate customer email. Though there
are as yet very few signed customer domains with as their MX hosts,
this opens the door to progress towards inbound DANE for Google-hosted
email.
--
Viktor.
More information about the dns-operations
mailing list