Results of an DNSSEC AT survey
lutz at iks-jena.de
Fri Jan 4 11:39:06 EST 2008
Report of DNSSEC deploymnet in AT, CO.AT, OR.AT
NIC.AT thankworthy offered me access to the AT zone in order to keep an eye
on the DNSSEC distribution in their zone.
This survey used a list of 721965 zones from 2008-1-1.
First question was for DNSKEY using a validating resolver:
680919 No such data
1507 No such domain
39532 Nameserver reports failure
The seven signed zones stay on the same primary name server:
asclepion.at epages.co.at epages.or.at meinfotoservice.at online-fotos.at
The huge majority (680919) of zones are not signed and working fine with the
For 1507 zones, the nameserver reports NXDOMAIN for DNSKEY queries. That's
sometimes wrong, the domain exists! See the example below.
The 39532 zones, causing temporary failures for DNSKEY queries are rechecked
with a non-validating resolver and A/NS queries. Most of them do not respond
to EDNS0 queries at all. So the "ordinary" queries result in:
16934 "No such data" oder "OK"
354 No such domain
21459 Nameserver reports failure
About 40% of the DNSSEC problematic zones are reachable without any problems
for the non-validating resolver. Here an example:
; <<>> DiG 9.4.2 <<>> DNSKEY 0038.at @ns3.domaindiscount24.net +norec
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65298
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
; <<>> DiG 9.4.2 <<>> A 0038.at @ns3.domaindiscount24.net +norec
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47454
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 0
More than a half of all those zone is served by the name servers of
The remaining 21459 tempfailed zones are caused by resolvers which does not
know about the delegated zone but recursivly refer to other servers.
I'm interested in other TLDs to do the same checks.
More information about the Dnssec-deployment