[DNSOP] draft-ietf-dnsop-nsec3-guidance: fresh iteration count stats

[Viktor Dukhovni]

On Fri, Oct 15, 2021 at 04:30:37PM -0700, internet-dra...@ietf.org wrote:

>       Filename        : draft-ietf-dnsop-nsec3-guidance-01.txt
> 
> Abstract:
>    NSEC3 is a DNSSEC mechanism providing proof of non-existence by
>    promising there are no names that exist between two domainnames
>    within a zone.  Unlike its counterpart NSEC, NSEC3 avoids directly
>    disclosing the bounding domainname pairs.  This document provides
>    guidance on setting NSEC3 parameters based on recent operational
>    deployment experience.

We were waiting for TransIP to complete the migration of their managed
DNS domains from 100 iterations to 0, before collecting fresh NSEC3
iteration count deployment statistics.

That has now been done, and the results are below:

  Zones successfully probed: 16,302,535
  Zones using NSEC3:         12,460,057   76.4% (of signed zones)
  Zones using opt-out:        1,162,869    9.3% (of NSEC3 zones)

Percentile cumulative distribution:

    iterations    cumulative%
             0      7.934956%
             5     71.117973%
            10     92.455026%
            15     94.808563%
            20     99.183358%
            25     99.256617%
            30     99.256745%
            35     99.266753%
            40     99.676831%
            50     99.783324%
            55     99.783508%
            60     99.783532%
            75     99.784263%
            80     99.784295%
            85     99.784664%
            90     99.784913%
            99     99.785017%
           100     99.946999%
           120     99.947151%
           150     99.998403%
           160     99.998411%
           200     99.998571%
           250     99.998628%
           300     99.998652%
           330     99.998756%
           400     99.998828%
           500     99.999655%
          1600     99.999960%
          2000     99.999976%
          2500    100.000000%

Absolute zone number per iteration count:

    iterations    zone count
             0     988700
             1     6455550
             2     3875
             3     31803
             4     188
             5     1381224
             6     95
             7     30601
             8     1461259
             9     80
            10     1166574
            11     123
            12     288651
            13     81
            14     8
            15     4389
            16     13934
            17     8
            18     9
            19     5
            20     531146
            21     9002
            22     6
            23     19
            24     88
            25     13
            27     1
            29     1
            30     14
            31     4
            32     79
            33     1131
            35     33
            40     51096
            42     35
            50     13234
            51     1
            52     19
            53     1
            54     1
            55     1
            56     2
            60     1
            64     13
            67     1
            69     2
            75     75
            77     2
            80     2
            81     8
            84     5
            85     33
            90     31
            93     1
            96     1
            99     11
           100     20183
           101     1
           107     17
           120     1
           128     6
           132     1
           139     1
           149     27
           150     6351
           160     1
           177     17
           200     3
           234     1
           250     6
           256     1
           300     2
           330     13
           333     1
           400     8
           423     1
           487     1
           500     101
          1024     2
          1337     1
          1600     35
          2000     2
          2500     3

-- 
    Viktor.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop