> On 18 Oct 2021, at 12:43 am, Viktor Dukhovni <[email protected]> wrote:
>
> We were waiting for TransIP to complete the migration of their managed
> DNS domains from 100 iterations to 0, before collecting fresh NSEC3
> iteration count deployment statistics.
>
> That has now been done, and the results are below:
>
> Zones successfully probed: 16,302,535
> Zones using NSEC3: 12,460,057 76.4% (of signed zones)
> Zones using opt-out: 1,162,869 9.3% (of NSEC3 zones)
>
> Percentile cumulative distribution:
>
> iterations cumulative%
> 0 7.934956%
> 5 71.117973%
> 10 92.455026%
> 15 94.808563%
> 20 99.183358%
> 25 99.256617%
> 30 99.256745%
> 35 99.266753%
> 40 99.676831%
> 50 99.783324%
> 55 99.783508%
> 60 99.783532%
> 75 99.784263%
> 80 99.784295%
> 85 99.784664%
> 90 99.784913%
> 99 99.785017%
> 100 99.946999%
> 120 99.947151%
> 150 99.998403%
> 160 99.998411%
> 200 99.998571%
> 250 99.998628%
> 300 99.998652%
> 330 99.998756%
> 400 99.998828%
> 500 99.999655%
> 1600 99.999960%
> 2000 99.999976%
> 2500 100.000000%
Just in case further reductions occurred since mid-October, I did a quick
rescan of zones which had >= 51 iterations, and the absolute frequencies
are below. Still mostly negligible, except for 100, 150, and a small
Raytheon bump at 500. So the question boils down to whether we want to
nudge the 150s and perhaps also the 100s down to either 100 or 50, setting
the recommended resolver limit there (and of course still strongly recommend
the auth zone signers to use 0).
1 51
19 52
1 53
1 54
1 55
2 56
1 60
1 61
12 64
1 67
2 69
75 75
1 80
8 81
5 84
33 85
20 90
1 96
11 99
20038 100
1 101
17 107
1 120
6 128
1 132
1 139
27 149
6304 150
1 160
17 177
3 200
1 234
6 250
1 256
2 300
13 330
8 400
1 423
1 487
101 500
2 1024
1 1337
35 1600
2 2000
3 2500
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop