510 Software Group

2018-12-10 DNSSEC query measurements

Previous DNSSEC measurements looked at the percentage of end-users that are using validating resolvers. I am interested in a different question - what percentage of the queries arriving at a recursive resolver are in domains that are secured by DNSSEC? I wrote a bit of code to answer that question.

On a small corporate network, I added dns query logging to the Bind configuration of the local recursive validating resolver, and then analyzed the resulting log files with a simple script. Consider a query for "googleads.g.doubleclick.net". The public suffix list was used to find "doubleclick.net" as the domain of interest. The script then determines DNSSEC status by looking for a DS record for that domain. Queries for local resources such as the name of the local mail server were removed, as were all the queries generated by local servers. The script only considered queries from normal user workstations for external resources. It then generated a list containing (query count, DNSSEC status, domain) tuples.

...
20 not yahoo.net
20 not yhoo.it
21 not adspirit.net
21 not adsrvs.com
21 not adstanding.com
...
1229 not pandora.com
1235 not adsymptotic.com
1239 not w55c.net
1262 yes mozilla.net
1265 not go.com
1272 not teads.tv
...
24536 not apple.com
29428 not msedge.net
32893 not akamaiedge.net
47030 not google.com
49154 not live.com
72492 not office365.com
143308 not microsoft.com

2015-07-02; Out of 783K queries, only 2700 queries (0.3%) were for names in zones that are secured with DNSSEC. It would be interesting to see the results of this sort of measurement at a large public resolver like 8.8.8.8.

2015-07-08; Out of 1.5M queries, 7500 (0.5%) were for names in zones that are secured with DNSSEC. Is the percentage really growing that rapidly? Apparently not.

2015-07-31; Out of 1.5M queries, 3735 (0.25%) were for names in zones that are secured with DNSSEC.

2015-09-28; Out of 1.4M queries, 7448 (0.5%) were for names in zones that are secured with DNSSEC.

2016-09-07; Out of 1.3M queries, 7607 (0.6%) were for names in zones that are secured with DNSSEC.

2018-02-26; Out of 1.2M queries, 7643 (0.6%) were for names in zones that are secured with DNSSEC.

2018-04-20; Out of 888K queries, 7380 (0.8%) were for names in zones that are secured with DNSSEC.

2018-12-10; Out of 1.2M queries, 9125 (0.7%) were for names in zones that are secured with DNSSEC. That client recently moved to Office365 for email, so they have many more queries for office365.com and microsoft.com. If we ignore those two names, we get 0.9% of the queries were for names in DNSSEC zones. Ignoring those two names in the data from 2018-04-20 gives the same 0.9% result.