-
Notifications
You must be signed in to change notification settings - Fork 6
Measuring DNSSEC in zones
Christian Huitema edited this page Oct 7, 2018
·
1 revision
In an early version of the metric M4, we attempted to measure how many zones published DNSSEC records by looking at the DNS responses:
- To compute the metric 4.6, we find the zone associated with queries using the open source Public Suffix List maintained on GitHub by the Public Suffix project. We then look at the subset of queries in which the DO bit was set. If the response included a DNSSEC records such as DNSKEY, RRSIG, NSEC, NSEC3, or DS, we conclude that the corresponding zone is supporting DNSSEC. In constrast, if we find queries in which the DO bit is set but never receive any DNSSEC response, we assume that the zone is probably not supporting DNSSEC.
This does not return reliable results, because the DNSSEC records are often too long to fit in a UDP packet. The test programs appear to work, but that is because the test file was captured at the root. Root servers will typically return an NS record for the target zone, and a DS record hinting at DNSSEC support in the zone. These two record sets usually fit in a single datagram, so we get a plausible result. But when using the same tactic at recursive servers, the results are not reliable -- it says that less than 0.1% of zone publish DNSSEC records, which is just not true.