On Tue, Feb 10, 2026 at 12:13:22PM +0100, Hanno Böck wrote:
> I think this may be interesting for the members of this list:
> I'm developing an Open-Source tool called badkeys [1] that checks
> cryptographic public keys for known vulnerabilities. (Think of things
> like the Debian OpenSSL bug, ROCA, etc.)
Cool.
> As part of a project funded by NLnet, I am now doing regular scans of
> keys in the DNSSEC ecosystem. (Similar scans for DKIM will follow soon.)
> Those involve fetching DNSKEY and CDNSKEY records from domains in the
> Tranco Top 1 Million or DomCop Top 10 Million list (I'm alternating
> between different domain lists) and checking them with badkeys.
These lists do not provide good coverage of DNSSEC-signed domains. Of
the ~25 million DNSSEC-signed domains covered by the DANE survey, only
~54 thousand are listed among the Top 1 million websites.
I have a database with every DNSKEY seen by the survey since 2017.
Currently holding 556,114,847 distict keys (45.6 million currently
live). While I'm not at liberty to share the domain names, I don't see
any barrier to sharing just the keys with the domain names elided. If
you're interested, I can make that dataset available.
If you like, the keys can be augmented with a date range indicating
their first seen and last seen epoch times, and/or the number of domains
using that key (sometimes a hosting provider uses the same key for
multiple customer zones).
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
