[dns-operations] [Ext] Progress on algorithm 5 and 7 decommissioning

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Oct 14 18:14:00 UTC 2020

On Wed, Oct 14, 2020 at 05:33:15PM +0000, Edward Lewis wrote:
> On 10/14/20, 12:29 PM, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:
>     On Wed, Oct 14, 2020 at 03:27:35PM +0000, Edward Lewis wrote:
>     > This is visible in the attached chart of ccTLD "crypto-choices".  (I'm
>     > on the agenda for ICANN 69's Tech Day to talk about DNSSEC in the
>     > TLDs.  I'll have longer-term views of that chart in the slide deck,
>     > this just focuses on 2020.)
>     Is that a graph of algorithms used directly by the ccTLD to sign the
>     ccTLD zone, or a graph of algorithms used by child domains of the
>     ccTLDs?  My graph's for the latter, across all TLDs, not just ccTLDs,
>     though the data is admittedly only as complete as the 80% to 90% or so
>     of the various zones I'm able to scavenge when official feeds are not
>     available.
> The data is for the TLD (or the one-label name delegated from the
> root) itself, i.e., what's at the apex.

Thanks for the clarification, that's what I thought...

> I don't have (special) access to what's inside any given ccTLD.  I
> mean, we can scrounge for available ccTLD zone files, but I couldn't
> "source" meaningful data just from that set.

Well, the zone files themselves are generally not available in most
cases, but it is possible over time to piece together a pretty decent
subset of many zones from a variety of sources of live domain names.
These give a much broader picture of DNSSEC practice that what one
learns by looking at just the ~1500 TLD DNS/DNSKEY RRsets.

Between CZDS for the gTLDs (other than aero), some ccTLD zones for which
data is available (.se, .nu, .fr with ~30-60 day time delay, ...) and
the ad-hoc sources I have:

      208,287,670 domain names from CZDS
       62,442,671 misc. unsigned subdomains of signed TLDs
        4,398,423 signed domains from full feeds and misc sources
      275,128,764 Total known, of which:
       12,737,901 Have DS RRs at the parent (basis of my graphs)
       12,599,649 Have an apex DNSKEY RRset that is valid

Among the zones where DNSKEY validation is failing, 

          ~72,000 Also fail with the CD bit, probably lame
          ~66,000 Show signs of life with CD set, but this
                  does not imply active use, likely parked


More information about the dns-operations mailing list