Results of an DNSSEC AT survey

[Lutz Donnerhacke]

  Report of DNSSEC deploymnet in AT, CO.AT, OR.AT

NIC.AT thankworthy offered me access to the AT zone in order to keep an eye
on the DNSSEC distribution in their zone.

This survey used a list of 721965 zones from 2008-1-1.

First question was for DNSKEY using a validating resolver:
        7  OK
   680919  No such data
     1507  No such domain
    39532  Nameserver reports failure


The seven signed zones stay on the same primary name server:
  asclepion.at epages.co.at epages.or.at meinfotoservice.at online-fotos.at
  onlinefotos.at pixaco.at

The huge majority (680919) of zones are not signed and working fine with the
validating resolver.

For 1507 zones, the nameserver reports NXDOMAIN for DNSKEY queries. That's
sometimes wrong, the domain exists! See the example below.

The 39532 zones, causing temporary failures for DNSKEY queries are rechecked
with a non-validating resolver and A/NS queries. Most of them do not respond
to EDNS0 queries at all. So the "ordinary" queries result in:
   16934   "No such data" oder "OK"
     354   No such domain
   21459   Nameserver reports failure

About 40% of the DNSSEC problematic zones are reachable without any problems
for the non-validating resolver. Here an example:

   ; <<>> DiG 9.4.2 <<>> DNSKEY 0038.at @ns3.domaindiscount24.net +norec
   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65298
   ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  
   ; <<>> DiG 9.4.2 <<>> A 0038.at @ns3.domaindiscount24.net +norec
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47454
   ;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 0

More than a half of all those zone is served by the name servers of
domaindiscount24.net.

The remaining 21459 tempfailed zones are caused by resolvers which does not
know about the delegated zone but recursivly refer to other servers.

-- 
I'm interested in other TLDs to do the same checks.