Hi, Am 04.09.2012 22:57, schrieb Wessels, Duane: > Within Verisign Labs we have a project underway to quantify the number of > DNSSEC-validating resolvers in use on the Internet. In particular, we > want to identify recursive name servers which have configured the root > zone trust anchor. We find this data a useful metric for DNSSEC adoption > and especially helpful for informing discussions about key rollovers for > the root zone.
My research group has a similar project that you may be interested in. We run a DNSSEC validation test with user feedback at http://dnssec.vs.uni-due.de (for fun) and a hidden test in some websites (for research). We gathered 69k results from 54k distinct IP addresses since May this year. The validation ratio was 4.4% which is close to the 3.25% of the current VeriSign 'prefetch' results. Our results vary significantly by country, US is ~13% (Comcast...), some European countries up to 4% and the others are basically zero (this might be inaccurate, the majority of our results are from DE and US). > In order for our our measurements to be meaningful, we need to receive > queries from a wide variety of recursive name servers. To achieve this > goal we ask members of the DNS and networking communities to assist by > adding the following single line of HTML code to your web pages: > > <a href="http://prefetch.validatorsearch.verisignlabs.com";></a> > > This HTML snippet should have no visible impact on a rendered page. Since > nearly all web browsers now implement DNS prefetching, the code above > results in a DNS query for the name shown and allows us to characterize > the recursive name server that the query goes through. Our test methodology is to load 1px images from two domain names, one correctly signed and the other one with a broken signature. > Please note that we are not interested in identifying individual users who > have loaded the web page. The name above points to the localhost IP address > (127.0.0.1) so even if someone does manage to "click" on it, that request > does not reach us. Definitely an advantage over our test as we generate more traffic and log HTTP requests. > For some preliminary results, please visit the project web page at > http://validatorsearch.verisignlabs.com/ Here's some more information about our measurements: http://www.vs.uni-due.de/personal/wander/20120821_DNSSEC_Validation/ I'm right now putting all results together in a paper for PAM2013 (submission is next week). Kind regards, Matt -- Universität Duisburg-Essen Fachgebiet Verteilte Systeme Bismarckstr. 90 / BC 316 47057 Duisburg Tel: +49 203 379 2767 _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
