On 4/27/16, 11:29, "DNSOP on behalf of Matthew Pounsett" <dnsop-boun...@ietf.org on behalf of m...@conundrum.com> wrote:
>On 19 April 2016 at 08:13, Shane Kerr <sh...@time-travellers.org> wrote: > >>Also, I'm not sure that it is fair to say "most zones are not signed >>with NSEC". I guess most *TLD* are signed with NSEC3 either for zone >>size reasons or in a (misguided IMHO) attempt to keep the zone contents >>secret. But is this true for domains that are not delegation-only? And >>even if it is, are those zones opt-out? > >I feel certain someone has this data. Ed Lewis, would this be something >that would be possible to pull out of your survey of signed zones? > I can answer some of that (why is it those with numbers never have the whole answer?). As of March 1st (the last time I did a count): 1241 zones - counting the root plus the top-level names (meaning ARPA/ not IN-ADDR.ARPA). 1078 signed, 1070 with DS records (the root, and 7 signed TLDs have not entered a DS) 857 use NSEC3 221 use NSEC Of those, 925 zones are operated according to agreements for the class-of-2012 new gTLDs, all of these are signed, etc., 730 of these are NSEC3'd, 195 do NSEC (roughly 4:1). I mention this because it leaves the others, mostly ccTLDs, with a slightly starker split - 127 NSEC3 to 26 NSEC (5:1). The 925 zones are delegation only by rule, as well as a smidgen more (pre-2012 gTLDs whose agreements forbid anything other than delegations, probably less than 25 more). ccTLDs are harder to count because they are not, in general, required to allow their zones to be inspected. There are about 300 ccTLDs (roughly), some report internals, others not. And I know of no DNSSEC software that can mix opt-out and non-opt-out NSEC3 chains, despite the protocol allowing it, all zones I can see are "opt-out" if they do NSEC3 at all. So, for the upper zones, most are NSEC3. I wouldn't speculate on motivations for choices, what I do know is what I get when I flat out ask someone (because DNS doesn't include a "why I'm doing this" field). Scaling and "checking a policy box" are the reasons. As far as other zones, it's harder to do this work without the zone files of the TLDs. As far as significance, while the upper reaches are like 85+% signed, COM, for instance, has about 1/2% signed which is also 1/2 million delegations. (Small percent, large magnitude.) In making "policy" decisions like when to assume some statement holds, it would be good to measure all of this, wouldn't it? ;) Not sure if that answers the question fully. Hope it helps.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
