[dns-operations] Speaking of fixing things...
ietf-dane at dukhovni.org
Fri Oct 30 05:56:25 UTC 2020
I have a list of ~69k domain names with extant DS RRsets, where the
DNSKEY RRset has been either unavailable or failing validation for 180
days or more (92k domains if the bar is set to 90 days). These span 439
TLDs! Of these domains, ~30k are simply lame and zone apex NS lookups
fail even with CD=1. The remaining ~39k likely have DNSSEC-specific
The top 25 TLDs by count of long-term dead signed delegations are:
If any of the TLDs have policies that allow the deadwood to be delisted
(still registered, but not delegated) I can provide the list of
domains... It would be nice to see less breakage in the live zones.
More information about the dns-operations