> On Apr 12, 2021, at 7:51 PM, Viktor Dukhovni <[email protected]> wrote: > > I don't monitor NSEC3 vs. NSEC on a regular basis, but a few weeks back > I took a survey of at the time ~14.4 million DNSSEC signed domains, of > which ~10.9 million used NSEC3.
We did a study a few years ago, with a much smaller data set that Viktor's. But the numbers were very much in the same ballpark: NSEC3: 83% NSEC: 13% But more specifically: NSEC3 (traditional): 53% NSEC3 (white lies): 30% NSEC (traditional): 11% NSEC (black lies): 2% Note that the remaining 4% were unclassified because of inconsistent behavior. Also: > On Apr 13, 2021, at 10:40 AM, Viktor Dukhovni <[email protected]> wrote: > > - Most zones have no secrets, often just the zone apex and a couple > of common labels, "www", "smtp", "mx1", ... Again, we have some empirical measurements to confirm this. Nearly 90% of zones signed with NSEC3 have fewer than 10 names. The full paper is here: https://casey.byu.edu/papers/2019_pam_dnssec_lies.pdf And an OARC presentation on the topic here: https://indico.dns-oarc.net/event/32/contributions/725/attachments/699/1151/2019-11-01-dnssec-lies-oarc.pdf Cheers, Casey _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
