[dns-operations] nsec vs nsec3 use
Casey Deccio
casey at deccio.net
Thu Apr 15 03:30:13 UTC 2021
> On Apr 12, 2021, at 7:51 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> I don't monitor NSEC3 vs. NSEC on a regular basis, but a few weeks back
> I took a survey of at the time ~14.4 million DNSSEC signed domains, of
> which ~10.9 million used NSEC3.
We did a study a few years ago, with a much smaller data set that Viktor's. But the numbers were very much in the same ballpark:
NSEC3: 83%
NSEC: 13%
But more specifically:
NSEC3 (traditional): 53%
NSEC3 (white lies): 30%
NSEC (traditional): 11%
NSEC (black lies): 2%
Note that the remaining 4% were unclassified because of inconsistent behavior.
Also:
> On Apr 13, 2021, at 10:40 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> - Most zones have no secrets, often just the zone apex and a couple
> of common labels, "www", "smtp", "mx1", ...
Again, we have some empirical measurements to confirm this. Nearly 90% of zones signed with NSEC3 have fewer than 10 names.
The full paper is here:
https://casey.byu.edu/papers/2019_pam_dnssec_lies.pdf
And an OARC presentation on the topic here:
https://indico.dns-oarc.net/event/32/contributions/725/attachments/699/1151/2019-11-01-dnssec-lies-oarc.pdf
Cheers,
Casey
More information about the dns-operations
mailing list