Deploy360 Domain Name System Security Extensions (DNSSEC)

Q3 2013 DNSSEC Statistics For Zones, Algorithms and Key Sizes

dnssecOct 1 starts the 4th quarter of 2013, so I figured I’d post something about DNSSEC in the root and TLD zones.  Prompting this was a flurry of activity in September in what had been a fairly quiet 2013 to date.

Some notes – I count the root zone plus the top-levels.  E.g., “uk.” but not “”  And I exclude from the study the 11 test IDN zones that have been in place for some years now (as these aren’t reflective of true operations).  And I’ve been (continuously) collecting data only since June 2011 about a year after the root was signed.

Currently I count 112 zones as signed with 101 DS sets in the root.  (Of course, add 11 if you want to count the test zones, deduct 1 from the signed count for the root.  There’s no DS for the root, never will be.)

Here is the change in each quarter in zones with keys and zones with DS records

DNSKEY Set                    DS Set
          Q1   Q2   Q3   Q4             Q1   Q2   Q3   Q4
2011                +4  +10                       +2  +10
2012      +3   +6   +3   +8             +3   +3   +5   +5
2013      +1   +3  +10                  +4   +5   +5

Some other observations:

  • Over the time of the study, the number of counted zones has risen from 299 to 308 but there is one TLD that has been off-the-air for the last month.
  • 36% of the counted zones are signed.
  • 3 operators (5 zones total) suspended DNSSEC at some point, all but 1 (1 zone) have resumed.

As far as algorithms used for signing:

  • 41 zones sign with RSA-SHA1
  • 67 sign with RSA-SHA256
  • 4 zones with RSA-SHA512

Seven operators (7 zones) have moved from RSA-SHA1 keys to RSA-SHA256.  No other algorithm changes have been seen.

Out of the 112 key sets, 106 have 2048-bit KSK and 1024 ZSK keys, there are only 6 other length combinations.  There is only 1 zone that does uses neither a 2048-bit KSK *NOR* a 1024-bit ZSK. (That is “1024 and 2048” is 106, “not1024 and not2048” is 1.)

About the guest author:  Ed Lewis is an all-things-DNS engineer at Neustar and has been involved with DNSSEC since the very first development task. His first DNSSEC deployment meeting occurred in March 1998 during the 41st IETF meeting. This post was first sent to the dnssec-coord mailing list and is re-posted with Ed’s permission.