‹ Back
Deploy360 2 October 2013

Q3 2013 DNSSEC Statistics For Zones, Algorithms and Key Sizes

dnssecOct 1 starts the 4th quarter of 2013, so I figured I’d post something about DNSSEC in the root and TLD zones.  Prompting this was a flurry of activity in September in what had been a fairly quiet 2013 to date.

Some notes – I count the root zone plus the top-levels.  E.g., “uk.” but not “co.uk.”  And I exclude from the study the 11 test IDN zones that have been in place for some years now (as these aren’t reflective of true operations).  And I’ve been (continuously) collecting data only since June 2011 about a year after the root was signed.

Currently I count 112 zones as signed with 101 DS sets in the root.  (Of course, add 11 if you want to count the test zones, deduct 1 from the signed count for the root.  There’s no DS for the root, never will be.)

Here is the change in each quarter in zones with keys and zones with DS records

DNSKEY Set                    DS Set
          Q1   Q2   Q3   Q4             Q1   Q2   Q3   Q4
2011                +4  +10                       +2  +10
2012      +3   +6   +3   +8             +3   +3   +5   +5
2013      +1   +3  +10                  +4   +5   +5

Some other observations:

  • Over the time of the study, the number of counted zones has risen from 299 to 308 but there is one TLD that has been off-the-air for the last month.
  • 36% of the counted zones are signed.
  • 3 operators (5 zones total) suspended DNSSEC at some point, all but 1 (1 zone) have resumed.

As far as algorithms used for signing:

  • 41 zones sign with RSA-SHA1
  • 67 sign with RSA-SHA256
  • 4 zones with RSA-SHA512

Seven operators (7 zones) have moved from RSA-SHA1 keys to RSA-SHA256.  No other algorithm changes have been seen.

Out of the 112 key sets, 106 have 2048-bit KSK and 1024 ZSK keys, there are only 6 other length combinations.  There is only 1 zone that does uses neither a 2048-bit KSK *NOR* a 1024-bit ZSK. (That is “1024 and 2048” is 106, “not1024 and not2048” is 1.)


About the guest author:  Ed Lewis is an all-things-DNS engineer at Neustar and has been involved with DNSSEC since the very first development task. His first DNSSEC deployment meeting occurred in March 1998 during the 41st IETF meeting. This post was first sent to the dnssec-coord mailing list and is re-posted with Ed’s permission.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world