2018-12-10 DNSSEC query measurements
Previous DNSSEC measurements looked at the percentage of end-users that are using validating resolvers. I am interested in a different question - what percentage of the queries arriving at a recursive resolver are in domains that are secured by DNSSEC? I wrote a bit of code to answer that question.
On a small corporate network, I added dns query logging to the Bind configuration of the local recursive validating resolver, and then analyzed the resulting log files with a simple script. Consider a query for "googleads.g.doubleclick.net". The public suffix list was used to find "doubleclick.net" as the domain of interest. The script then determines DNSSEC status by looking for a DS record for that domain. Queries for local resources such as the name of the local mail server were removed, as were all the queries generated by local servers. The script only considered queries from normal user workstations for external resources. It then generated a list containing (query count, DNSSEC status, domain) tuples.
... 20 not yahoo.net 20 not yhoo.it 21 not adspirit.net 21 not adsrvs.com 21 not adstanding.com ... 1229 not pandora.com 1235 not adsymptotic.com 1239 not w55c.net 1262 yes mozilla.net 1265 not go.com 1272 not teads.tv ... 24536 not apple.com 29428 not msedge.net 32893 not akamaiedge.net 47030 not google.com 49154 not live.com 72492 not office365.com 143308 not microsoft.com
2015-07-02; Out of 783K queries, only 2700 queries (0.3%) were for names in zones that are secured with DNSSEC. It would be interesting to see the results of this sort of measurement at a large public resolver like 8.8.8.8.
2015-07-08; Out of 1.5M queries, 7500 (0.5%) were for names in zones that are secured with DNSSEC. Is the percentage really growing that rapidly? Apparently not.
2015-07-31; Out of 1.5M queries, 3735 (0.25%) were for names in zones that are secured with DNSSEC.
2015-09-28; Out of 1.4M queries, 7448 (0.5%) were for names in zones that are secured with DNSSEC.
2016-09-07; Out of 1.3M queries, 7607 (0.6%) were for names in zones that are secured with DNSSEC.
2018-02-26; Out of 1.2M queries, 7643 (0.6%) were for names in zones that are secured with DNSSEC.
2018-04-20; Out of 888K queries, 7380 (0.8%) were for names in zones that are secured with DNSSEC.
2018-12-10; Out of 1.2M queries, 9125 (0.7%) were for names in zones that are secured with DNSSEC. That client recently moved to Office365 for email, so they have many more queries for office365.com and microsoft.com. If we ignore those two names, we get 0.9% of the queries were for names in DNSSEC zones. Ignoring those two names in the data from 2018-04-20 gives the same 0.9% result.