On Thu, Aug 19, 2021 at 02:44:44PM +1000, raf wrote:
> > Is google / gmail using it yet?
> > Last i knew they weren't using DNSSEC or DANE.
>
> Nope.
Actually, yes to some extent. See my more detailed response.
> But it's still a very small percentage overall.
I'm tracking ~15.8 million DNSSEC signed domains:
https://stats.dnssec-tools.org/
out of a total of around 300 million candidate domains in signed TLDs.
> I've seen old figures of 1.5% of .com domains use it,
That's rather old data, today's fraction is ~2.6%. The marginal rate of
(new signed .com domains / new .com domains) is just under 20%, so the
fraction is growing daily (graph linked below shows the total signed,
not the fraction):
https://stats.dnssec-tools.org/tld-graphs/com.png
> but it's big in a few countries,
Top TLDs by (surveyed) number of signed delegations:
com 4037481 -- complete daily feed
nl 3518381 -- complete daily feed
se 766381 -- complete daily feed
br 757455
cz 741517
fr 568156 -- 30+ day delayed feed
eu 525670
no 440311
pl 409531
be 395449
net 380658 -- complete daily feed
org 345774 -- complete daily feed
ch 326946 -- complete daily feed
For the ccTLDs where my data is incomplete I often have nearly 90% of
the signed domains from 2nd-hand sources. Atypically, for .br I only
have somewhere between 50 and 60%, likely many of the rest are parked
and don't show up on anyone's radar.
> and the USA government has to use it.
Some federal domains are required to do DNSSEC, some (mostly .mil)
domains even have working DANE for at least all the primary MX hosts:
dnsops.gov fvap.gov iad.gov intelligencecareers.gov nsa.gov army.mil
atac.mil cssp.mil cybercom.mil darpa.mil dau.mil dc3.mil dcaa.mil
dcatse.mil dcma.mil dcsa.mil deca.mil dfas.mil dha.mil dia.mil dla.mil
doddacm.mil doded.mil dodiis.mil dpsa.mil dsca.mil dss.mil dtsa.mil
forge.mil jieddo.mil jpra.mil jten.mil mail.mil militaryonesource.mil
myduty.mil navy.mil ncca.mil nga.mil nro.mil osdcommemorations.mil
pacom.mil sco.mil socom.mil sofsa.mil spaceforce.mil usapab.mil usmc.mil
ustranscom.mil whs.mil
> But the rate of adoption did suddenly increase noticeably a year ago,
> and it might increase more now as it gets easier.
>
> https://stats.dnssec-tools.org/
I expect some positive news this year, will keep you posted.
> I just saw Viktor's reply about mx[1-4].smtp.goog,
> and it looks like those domains are no longer signed:
>
> > host -t ds mx1.smtp.goog
> mx1.smtp.goog has no DS record
> > host -t ds mx2.smtp.goog
> mx2.smtp.goog has no DS record
> > host -t ds mx3.smtp.goog
> mx3.smtp.goog has no DS record
> > host -t ds mx4.smtp.goog
> mx4.smtp.goog has no DS record
That's not correct, those are not zone cuts, the signed zone is
"smtp.goog". To see whether a name is signed you ask for a
DNSSEC validated response from a validating resolver:
$ dig +dnssec +nosplit +nocl +nottl -t a mx1.smtp.goog.
; <<>> DiG 9.16.13 <<>> +dnssec +nosplit +nocl +nottl -t a mx1.smtp.goog.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40301
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1400
;; QUESTION SECTION:
;mx1.smtp.goog. IN A
;; ANSWER SECTION:
mx1.smtp.goog. A 216.239.32.151
mx1.smtp.goog. RRSIG A 8 3 3600 20210917160952 20210818160952
28159 smtp.goog.
QPkuqpER2MaTksmbJsg2MvQ05Q6P2epeNamcfPNDKAh5GFOeN9lvGL0HkWF2f25GTIYr6hDPPSFbNnZPZGzdXzG03q889B+f/CUCQuGPNtW3TjZCeIcczEYyxjZ/LA4mCEE9BjRMczl62RSvmHRfzLxNuks7Oo84N8lxn/TWsSU=
;; Query time: 112 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 19 01:10:13 EDT 2021
;; MSG SIZE rcvd: 227
--
Viktor.
