[dns-operations] Speaking of fixing things...

Fri Oct 30 05:56:25 UTC 2020

I have a list of ~69k domain names with extant DS RRsets, where the
DNSKEY RRset has been either unavailable or failing validation for 180
days or more (92k domains if the bar is set to 90 days).  These span 439
TLDs!  Of these domains, ~30k are simply lame and zone apex NS lookups
fail even with CD=1.  The remaining ~39k likely have DNSSEC-specific
misconfiguration.

The top 25 TLDs by count of long-term dead signed delegations are:

  24742 com
   9258 nl
   5357 se
   4553 cz
   2897 net
   2763 eu
   2044 pl
   1661 org
   1070 no
   1035 hu
    992 fr
    916 nu
    731 uk
    701 info
    594 be
    562 ch
    557 xyz
    552 de
    421 es
    349 sk
    346 dk
    321 app
    282 io
    250 biz
    240 pt

If any of the TLDs have policies that allow the deadwood to be delisted
(still registered, but not delegated) I can provide the list of
domains...  It would be nice to see less breakage in the live zones.

-- 
    Viktor.