Hi, On Fri, 20 Feb 2026 13:43:02 +1100 Viktor Dukhovni <[email protected]> wrote:
> > Those involve fetching DNSKEY and CDNSKEY records > > from domains in the Tranco Top 1 Million or DomCop Top 10 Million > > list (I'm alternating between different domain lists) and checking > > them with badkeys. > > These lists do not provide good coverage of DNSSEC-signed domains. Of > the ~25 million DNSSEC-signed domains covered by the DANE survey, only > ~54 thousand are listed among the Top 1 million websites. Sure, I'm aware that this isn't a scan of "the entire DNSSEC ecosystem". But I guess it's a large enough sample that I'd see if compromised keys would be common. (Which, from what I can see right now, they aren't.) FWIW, I plan to probably switch to a merged list of multiple top-lists soon. > I have a database with every DNSKEY seen by the survey since 2017. > Currently holding 556,114,847 distict keys (45.6 million currently > live). While I'm not at liberty to share the domain names, I don't > see any barrier to sharing just the keys with the domain names > elided. If you're interested, I can make that dataset available. That certainly would be interesting, and I can easily run a scan on that dataset. > If you like, the keys can be augmented with a date range indicating > their first seen and last seen epoch times, and/or the number of > domains using that key (sometimes a hosting provider uses the same > key for multiple customer zones). Yeah, particularly the date range would be helpful, as it's obviously quite a different issue if the finding is "xxx hosts used a compromised key in the past" or "xxx hosts are using a compromised key right now". -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
