909-546-4700

2018-04-20 DNSSEC query measurements

Previous DNSSEC measurements looked at the percentage of end-users that are using validating resolvers. I am interested in a different question - what percentage of the queries arriving at a recursive resolver are in domains that are secured by DNSSEC? I wrote a bit of code to answer that question.

On a small corporate network, I added dns query logging to the Bind configuration of the local recursive validating resolver, and then analyzed the resulting log files with a simple script. Consider a query for "googleads.g.doubleclick.net". The public suffix list was used to find "doubleclick.net" as the domain of interest. The script then determines DNSSEC status by looking for a DS record for that domain. Queries for local resources such as the name of the local mail server were removed, as were all the queries generated by local servers. The script only considered queries from normal user workstations for external resources. It then generated a list containing (query count, DNSSEC status, domain) tuples.

...
21 not influid.co
21 not londonist.com
21 yes noaa.gov
21 not redrock-interactive.com
21 not staticsfly.com
...
880 not flashtalking.com
882 yes mozilla.org
896 not nr-data.net
899 not bidswitch.net
...
25803 not microsoft.com
26691 not akadns.net
30271 not trendmicro.com
32971 not facebook.com
73646 not google.com

2015-07-02; Out of 783K queries, only 2700 queries (0.3%) were for names in zones that are secured with DNSSEC. It would be interesting to see the results of this sort of measurement at a large public resolver like 8.8.8.8.

2015-07-08; Out of 1.5M queries, 7500 (0.5%) were for names in zones that are secured with DNSSEC. Is the percentage really growing that rapidly? Apparently not.

2015-07-31; Out of 1.5M queries, 3735 (0.25%) were for names in zones that are secured with DNSSEC.

2015-09-28; Out of 1.4M queries, 7448 (0.5%) were for names in zones that are secured with DNSSEC.

2016-09-07; Out of 1.3M queries, 7607 (0.6%) were for names in zones that are secured with DNSSEC.

2018-02-26; Out of 1.2M queries, 7643 (0.6%) were for names in zones that are secured with DNSSEC.

2018-04-20; Out of 888K queries, 7380 (0.8%) were for names in zones that are secured with DNSSEC.