?

Log in

No account? Create an account

fanf

DNSSEC lookaside validation stats

« previous entry | next entry »
7th Jun 2012 | 13:54

DNSSEC lookaside validation can provide a chain of trust to signed zones whose parents have not yet deployed DNSSEC. DLV validators usually use a registry maintained by the ISC, dlv.isc.org. The DLV spec uses NSEC records to identify empty spans of the registry zone, so a validator does not need to query the registry for names that fall in these spans. A side-effect of this is that you can use the NSEC records to get a list of all the entries in the registry.

  # note the hacky difference in trailing dots
  # to make starting and ending conditions different
  n=dlv.isc.org
  while [ $n != dlv.isc.org. ]
  do
    r=$(dig +short nsec $n)
    n=${r%% *}
    echo $n
  done

There are only 2664 entries in the DLV at the moment, so it is tiny compared to the number of properly delegated DNSSEC zones. The most popular TLDs in the DLV are:

 495 arpa
 436 com
 254 de
 253 org
 237 net
  64 eu
  61 uk
  57 info
  50 hu
  42 nl
  37 fr
  36 ro
  36 ch
  32 cz
  30 ru
  29 us
  24 jp
  23 br
  22 biz
  20 it
  20 co
  20 at
  19 be
  18 name
  18 au

| Leave a comment | Share

Comments {4}

Jan-Piet Mens

from: jpmens
date: 7th Jun 2012 13:46 (UTC)

I love your shell script, but as you undoubtedly know, ldns-walk from the LDNS project does similar. :)

Reply | Thread

Tony Finch

from: fanf
date: 7th Jun 2012 13:49 (UTC)

Yes :-) Though Sabahattin Gucukoglu said on Twitter that it got upset by the dlv.isc.org zone - https://twitter.com/sgucukoglu/status/210536498162958336

Reply | Parent | Thread

Jan-Piet Mens

from: jpmens
date: 7th Jun 2012 13:56 (UTC)

It works well for me. :)

Reply | Parent | Thread

Dmitry Kohmanyuk on Livejournal

from: dk379
date: 8th Apr 2013 22:17 (UTC)

I wonder what are results for rest of TLDs, in particular for ua. Any IDNs there?

Reply | Thread