CINXE.COM

<!DOCTYPE html>     <html lang="en-US">  <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width" /> <title>How We Measure: DNSSEC Validation | blabs</title> <link rel="profile" href="http://gmpg.org/xfn/11" /> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.2/css/bootstrap.min.css"> <link rel="stylesheet" type="text/css" media="all" href="https://labs.apnic.net/blabs/wp-content/themes/apnic/style.css" /> <style> /* "nojs" css is embedded so it never fails to be applied. */ .js-off{display:none;} .nojs .js-on{display:none;} /* .js-on = show me if js is on/enabled */ .nojs .js-off{display:inherit;}/* .js-off = show me if js is off/disabled */ </style> <link rel="pingback" href="https://labs.apnic.net/blabs/xmlrpc.php" /> <meta name='robots' content='max-image-preview:large' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel="alternate" type="application/rss+xml" title="blabs » Feed" href="https://labs.apnic.net/index.php/feed/" /> <link rel="alternate" type="application/rss+xml" title="blabs » Comments Feed" href="https://labs.apnic.net/index.php/comments/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/labs.apnic.net\/blabs\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.1"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://labs.apnic.net/blabs/wp-includes/css/dist/block-library/style.min.css?ver=6.7.1' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel="https://api.w.org/" href="https://labs.apnic.net/index.php/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://labs.apnic.net/index.php/wp-json/wp/v2/posts/1801" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://labs.apnic.net/blabs/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.1" /> <link rel="canonical" href="https://labs.apnic.net/index.php/2023/10/30/how-we-measure-dnssec-validation/" /> <link rel='shortlink' href='https://labs.apnic.net/?p=1801' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://labs.apnic.net/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Flabs.apnic.net%2Findex.php%2F2023%2F10%2F30%2Fhow-we-measure-dnssec-validation%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://labs.apnic.net/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Flabs.apnic.net%2Findex.php%2F2023%2F10%2F30%2Fhow-we-measure-dnssec-validation%2F&format=xml" /> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style></head> <body class="post-template-default single single-post postid-1801 single-format-standard singular one-column content"> <div id="wrapper" class="nojs"> <script> // Embedded and no libs so it never fails to run (unless js is switched off). // Located here so there is no flicker in stuff being shown/hidden. document.getElementById('wrapper').className = document.getElementById('wrapper').className.replace(/nojs/gi,''); </script> <div class="navbar navbar-inverse navbar-fixed-top" role="navigation"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> </div> <div class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li id="global-apnic-navbar-link-blog"><a href="//blabs.apnic.net">Labs Blog Posts</a></li> <li id="global-apnic-navbar-link-presentations"><a href="//labs.apnic.net/presentations">Labs Presentations</a></li> <li id="global-apnic-navbar-link-measurement"><a href="//labs.apnic.net/measurements">Measurements and Data</a></li> </ul> </div> </div> </div> <header id="site-banner" class="container"> <h2 class="apnic"><span>APNIC</span></h2> <h2 class="labs"><span>Labs</span></h2> </header> <div id="page-wrapper" class="container"> <div id="page"> <div id="contents"> <div class="row"> <div class="col-md-offset-1 col-md-10"> <div> <div class="menu-main-container"><ul id="menu-main" class="nav nav-tabs"><li id="menu-item-9" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-9"><a href="/">Home</a></li> <li id="menu-item-6" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-6"><a href="https://labs.apnic.net/index.php/category/routing/">Routing</a></li> <li id="menu-item-7" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-7"><a href="https://labs.apnic.net/index.php/category/security/">Security</a></li> <li id="menu-item-8" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-8 active "><a href="https://labs.apnic.net/index.php/category/dns/">DNS</a></li> <li id="menu-item-10" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-10"><a href="https://labs.apnic.net/index.php/category/ipv6/">IPv6</a></li> <li id="menu-item-11" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-11"><a href="https://labs.apnic.net/index.php/category/policy/">Policy</a></li> <li id="menu-item-332" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-332"><a href="https://labs.apnic.net/index.php/category/ip-addresses/">IP Addresses</a></li> <li id="menu-item-1942" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1942"><a href="https://labs.apnic.net/index.php/post-quantum-cryptography/">Post-Quantum Cryptography</a></li> </ul></div> </div> </div> </div> <div class="js-off alert alert-error"> <h3>Javascript is disabled</h3> <p>We would like to provide you with a better user experience. Please re-enable Javascript in your web browser.</p> </div> <div class="row"> <div class="col-md-offset-1 col-md-10"> <div id="primary"> <div id="content" role="main"> <nav id="nav-single"> <h3 class="assistive-text">Post navigation</h3> <span class="nav-previous"><a href="https://labs.apnic.net/index.php/2023/10/30/notes-from-nanog-89-trust-and-network-infrastructure/" rel="prev"><span class="meta-nav">←</span> Previous</a></span> <span class="nav-next"><a href="https://labs.apnic.net/index.php/2023/11/09/how-we-measure-rpki-roa-signing-and-route-origination-validation/" rel="next">Next <span class="meta-nav">→</span></a></span> </nav> <article id="post-1801" class="post-1801 post type-post status-publish format-standard hentry category-dns category-operations"> <header class="entry-header"> <h1 class="entry-title">How We Measure: DNSSEC Validation</h1> <p class="entry-meta"> <span class="sep"></span><time class="entry-date" datetime="2023-10-30T02:19:28+00:00"> 30 Oct 2023</time> <span class="cat-links"> <span class="entry-utility-prep entry-utility-prep-cat-links">in</span> <a href="https://labs.apnic.net/index.php/category/dns/" rel="category tag">DNS</a>, <a href="https://labs.apnic.net/index.php/category/operations/" rel="category tag">Operations</a> </span> by <span class="sep"></span><span class="author-name">Geoff Huston</span> </header> <div class="entry-content"> <p><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></p> <style type="text/css">.small {font-size: smaller}.small5 {font-size: smaller; margin-left: 5em; text-align: left; font-family: monospace; }p {text-align: justify; }.quote {text-align: justify; font-family: Verdana, Arial, Helvetica, sans-serif; }.sidenote2 { color: rgb(80,80,80); background-color: #F5F0DA; margin-right: 5px; margin-left: 140px; padding: 10px; border: 1px #DFCE9D solid; font-size: smaller; }pre {margin-left: 2em; padding: 3px; font-family: Menlo,"Courier New", Courier, mono; font-size: smaller; }.indent5 { margin-left: 5em; }.i5 { margin-left: 5em; font-size: smaller; }.indent5 { margin-left: 5em;}.hang5 { margin-left: 10em; text-indent: -5em; }p.caption5 {text-align: left; margin-left: 5em; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: smaller; font-style:italic;}p.caption {text-align: center; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: smaller; font-style:italic;}table.inline { border-width: 1px; border-spacing: ; border-style: none; border-color: gray; border-collapse: collapse;background-color: white; text-align: right ;background-color: white; }table.inline th { border-width: 1px; padding: 2px; border-style: inset; border-color: gray; background-color: white; -moz-border-radius: ; font-style: bold; text-align: center; font-size: smaller;}table.inline td { border-width: 1px; padding: 2px; border-style: inset; border-color: gray; background-color: white; -moz-border-radius: ; vertical-align: top ; text-align: center; font-size: smaller; }table.nonline { border-width: 0px; border-spacing: ; border-style: none; border-color: gray; border-collapse: collapse;background-color: white; text-align: left; background-color: white;}table.nonline td { vertical-align: top ; text-align: left; font-size: smaller; }.ttc { color: rgb(100,100,100); margin-left: 5em; font-family: "Lucida Console", "Courier New", Courier; text-align: left; }.tx { margin-left: 0em; font-family: "Lucida Console", "Courier New", Courier, mono; text-align: left; }.ttb { margin-left: 5em; font-family: "Courier New", Courier; text-align: left; font-size: smaller; }iframe {margin: 0; padding: 0; border: none;}h4,h5,h6 { color: rgb(28,28,28); }</style> <p>At APNIC Labs we publish a number of measurements of the deployment of various technologies that are being adopted on the Internet. Here we will look at how we measure the adoption of DNSSEC validation.</p> <h3>DNSSEC</h3> <p>Security for the DNS has been a vexed topic for many years. The days of a trusting Internet where name resolution transactions are carried across the Internet in an open unencrypted manner should be long over. The situation where clients are in no position to verify the authenticity of the server that they are communicating with, nor being able to directly verify the authenticity of the DNS responses that they receive should not be a feature of today’s DNS. Yet we still see many forms of interference in the operation of the DNS name resolution protocol. Some of this DNS interference is institutionalised in the form of national censorship or court-ordered measures, intending to prevent users from accessing certain network resources. Other cases are related to malware and cyber-attacks intended to deceive user applications to direct their traffic to incorrect destinations. It seems to be an impossible task to enforce a halt to all forms of interference in the DNS. But perhaps it is possible to settle for a lesser objective, where a client is able to assure itself of the authenticity and currency of a DNS response, and reject all DNS responses that fail such tests of authenticity.</p> <p><a href="https://www.rfc-editor.org/rfc/rfc4033">DNSSEC</a> is intended to achieve such an outcome. DNSSEC adds a digital signature to DNS resource records, allowing a client to determine the authenticity and currency of a DNS answer, if they so choose. You would think that at this point in time, with a widespread appreciation of just how horrendously toxic the Internet really is, anything that allows a user to validate the authenticity of the response that they receive from a DNS query would be seen as a huge step forward, and we should all be clamouring to use it. Yet the extent of take up of DNSSEC is an active question where there is no clear answer. In some areas there is visible movement and visible signs of increasing adoption, while in other areas the response is less than enthusiastic. Many operators of recursive DNS resolvers, particularly in the ISP sector, are reluctant to add the resolution steps to request digital signatures of DNS records and validate them, and very, very few DNS stub resolvers on users’ devices at the edge of the network have similar DNSSEC validation functionality. Over on the signing side, the uptake of adding DNSSEC signatures to DNS zones is, well, variable.</p> <p>DNSSEC has two parts. The first is the attachment of digital signatures to DNS records, so that each DNS response can be validated by a DNS resolver. The second is the validation of these digital signatures by a DNS resolver. There is no real point in incurring the additional overheads in signing DNS responses if no one is validating these signed responses, and equally there is no point in equipping DNS client to validate signed DNS responses if no one is signing these responses in the first place.</p> <p>Measuring the first part of the DNSSEC question is challenging. It’s such a simple question: “What fraction of the entire DNS name space has been signed with DNSSEC?” The question assumes two capabilities, namely that we have some idea as to the overall count of DNS names, and secondly, that we can determine the count of signed names. An exact count of all domain names on the Internet is a practical impossibility these days. I guess that it would be possible in theory if every DNS zone administrator allowed full zone transfers, and every zone was able to be fully enumerated. In such a world, a DNS crawler could start at the root zone and follow all the zone delegation records and integrate across the entire DNS name hierarchy. However, much of the DNS is deliberately occluded, and such an approach of top-down crawling is just not viable, even if all DNS zones were enumerable, which is increasingly not the case. There have been a number of measurement exercises that refine this question to something a little more tractable. An overview of these approaches can be found in a <a href="https://www.potaroo.net/ispcol/2023-09/dnssec-queries.html">recent article</a> on measuring the use of DNSSEC by query profiling.</p> <p>Answering the second part of the question is what we’ll focus on here, as this is where APNIC Labs has made an important contribution.</p> <h3>Measuring DNSSEC Validation</h3> <p>The question we’d like to answer is: “What proportion of users use DNS resolvers that perform validation of DNS responses?” This is a question that is more easily answered by using a negative formulation of the question: “What proportion of users will be unable to resolve a DNS name if the name is signed with an invalid DNSSEC signature?”</p> <p>The reason why this is an equivalent question is that when a DNSSEC signature cannot be validated by a resolver, then the resolver will withhold the DNS response and return an error code instead. That means that when a validating DNS resolver is presented with an invalid DNS signature then the resolver will not return the DNS response. The DNS error that is returned is SERVFAIL, and the conventional action by a client resolver when it receives this error is to try the same query with the next resolver in its resolver list. If the client does not receive a response to its query to resolve this invalidly-signed DNS name than it means that all the locally-configured recursive resolvers are performing DNSSEC validation.</p> <p>Obviously, if any of these recursive resolvers are not performing DNSSEC validation then the client will receive a response to the query.</p> <p>We cannot directly query the DNSSEC capabilities of each DNS resolver, nor can we query each DNS resolver for the count of users who pass queries to it. But we can perform an equivalent measurement by a large-scale sampling measurement.</p> <h4>Measurement by Advertisements</h4> <p>APNIC Labs uses online advertisements to perform such measurements. The advertisement material includes a script component which is executed by the user’s browser when the ad is impressed. The scription capabilities are highly limited in the context of ads as a mitigation measure against malware distribution, but under certain circumstances ad scripts permit the retrieval of URLs. A URL requires resolution of a DNS name and then an HTTP operation to fetch the identified resource.</p> <p>The DNS name used in these ads is unique, in that each measurement test in each impressed ad uses a different DNS label. This is to remove the interference from caches in the operation of the measurement.</p> <p>The measurement system is configured to present between 15M to 20M ad impressions per day. The ad impression pattern across the Internet is not uniform, so we use additional data from the UN Statistics Division and the ITU-T to relate the number of ad impressions per country per day to the Internet user count per country per day. The per-country ad data is weighted by the relative user count per country to adjust for this implicit ad presentation bias.</p> <p>We cannot instrument the user’s browser, so we set up a known set of URL fetches to be performed by the client and configure the URLS such that the text client has to interact, either directly or indirectly with DNS and web servers that we operate. Then we can infer the behaviour of the test client by looking at the queries we see at pour servers. In the case of the DNS the only server that is authoritative for the DNS name is a server operated by APNIC Labs, so by examining the server logs we can determine if a user is attempting to resolve the DNS name into an IP address. For the HTTP object, again the only server that can serve the object is operated by APNIC Labs.</p> <p>We can infer that a test client is attempting to resolve a DNS name by virtue of the queries for the unique label name being logged at the DNS server. We can tell if the DNS resolution was successful by virtue of the record of the object retrieval at the HTTP server in the server’s logs.</p> <h3>Measuring DNSSEC Validation</h3> <p>How can we tell if a DNS resolver is performing DNSSEC validation if all we can see is the queries made to the authoritative server of the terminal zone?</p> <p>A validating resolver will need to make additional queries to build a validation path, querying for a sequence of DNSKEY and DS records. In order to avoid DNS caching we need to ensure that the query names for these DNSSEC records are also unique. In this case wildcard entries will not achieve what we need, as the DNSKEY and DS records will be cached by the DNS. To achieve the DNS behaviour we need for this measurement we use a synthetic DNS delegation, according to the following template:</p> <p class="small5"> example.com:<br />     unique-query-label NS <i>server</i><br />         DS <i>key-hash-value</i><br />         RRSIG DS <i>signature</i><br />  <br /> unique-query-label.example.com:<br />     .   DNSKEY <i>key value</i><br />         RRSIG DNSKEY <i>signature</i><br />         A <i>ip address</i><br />         RRSIG A <i>signature</i></p> <p>The delegated domain server will be queried for the DNSKEY record, and the parent domain will be queried for the DS record. As the DNS label is unique, caching will not mask these queries. To achieve this, we use a dynamic DNS server implementation based on a DNS library, where the DNS server is authoritative for both parent and child domains.</p> <p>The structure of the measurement uses two DNS names (and two URLs), a validly signed DNS name and an invalidly signed DNS name.</p> <p>By using the DNS and HTTP server logs we can assemble a set of criteria to determine if the test client lies behind DNSSEC-validating DNS resolvers:</p> <div class="indent5"> <p>With two unique DNS names, <i>Test-Valid</i> and <i>Test-Invalid</i></p> <p>A test client uses <b>DNSSEC Validation</b> if:</p> <ul> <li>We record DS and DNSKEY queries for both <i>Test-Valid</i> and <i>Test-Invalid</i> domain names</li> <li>The test client retrieves the URL that uses the <i>Test-Valid</i> DNS name</li> <li>The test client does not retrieve the URL that uses the <i>Test-Invalid</i> DNS name</li> </ul> <p>A test client <b>partially uses DNSSEC Validation</b> if:</p> <ul> <li>We record DS and DNSKEY queries for <i>Test-Valid</i> and <i>Test-Invalid</i> domain names</li> <li>The test client retrieves the URL that uses the <i>Test-Valid</i> DNS name</li> <li>The test client retrieves the URL that uses the <i>Test-Invalid</i> DNS name</li> </ul> <p>Otherwise, the test client <b>does not use DNSSEC validation</b></p> </div> <p>We use the IP address of the end client and a geolocation database to locate the test client into a country and add the DNSSEC validation result to the per-country counts. We use the BGP routing table to locate the test client into a network, and add the result to the per-network counts.</p> <h3>DNSSEC Validation Reports</h3> <p>At APNIC Labs we’ve been undertaking this measurement on a daily basis since 2014. The overall results of the adoption of DNSSEC Validation are plotted at <a href="https://stats.labs.apnic.net/dnssec/XA">https://stats.labs.apnic.net/dnssec/XA</a>.</p> <p class="caption5"><a href="https://www.potaroo.net/ispcol/2023-10/measure-dnssec-f1.png"><img decoding="async" src="https://www.potaroo.net/ispcol/2023-10/measure-dnssec-f1.png" width="80%""></a><br /> Figure 1- Internet Total for Uptake of DNSSEC Validation</p> <p>The per-country data is also mapped at <a href="https://stats.labs.apnic.net/dnssec">https://stats.labs.apnic.net/dnssec</a>. DNSSEC validation rates on a per country basis are highest in parts of Africa and Scandinavia. In other countries with extensive Internet infrastructure, such as the UK, Canada Spain and China, the validation rates are quite low.</p> <p class="caption5"><a href="https://www.potaroo.net/ispcol/2023-10/measure-dnssec-f2.png"><img decoding="async" src="https://www.potaroo.net/ispcol/2023-10/measure-dnssec-f2.png" width="80%""></a><br /> Figure 2- Per-Country Totals for Uptake of DNSSEC Validation</p> <p>The reports at <a href="https://stats.labs.apnic.net/dnssec">https://stats.labs.apnic.net/dnssec</a> provide an interactive form of navigation that generates time series DNSSEC validation reports down to the level of individual network providers in each country.</p> </div> <footer class="entry-meta"> This entry was posted in <a href="https://labs.apnic.net/index.php/category/dns/" rel="category tag">DNS</a>, <a href="https://labs.apnic.net/index.php/category/operations/" rel="category tag">Operations</a> by <a href="https://labs.apnic.net/index.php/author/gih/">Geoff Huston</a>. Bookmark the <a href="https://labs.apnic.net/index.php/2023/10/30/how-we-measure-dnssec-validation/" title="Permalink to How We Measure: DNSSEC Validation" rel="bookmark">permalink</a>. </footer> </article> </div> </div> </div> </div> </div> </div> </div>  <div id="footer"> <div class="container"> <div class="row"> <div class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li id="global-apnic-navbar-link-apnic"><a href="//www.apnic.net/">APNIC</a></li> <li id="global-apnic-navbar-link-myapnic"><a href="//myapnic.net/">MyAPNIC</a></li> <li id="global-apnic-navbar-link-training"><a href="//training.apnic.net/">Training</a></li> <li id="global-apnic-navbar-link-conferences"><a href="//conference.apnic.net/">Conferences</a></li> <li id="global-apnic-navbar-link-icons" class="active"><a href="https://labs.apnic.net/">Labs</a></li> </ul> </div> <div class="col-sm-5 col-xs-6 col-left"> <div id="footer-stamp"> <p><strong>APNIC</strong><br/> Asia Pacific Network<br/> Information Centre</p> </div> </div> <div class="col-sm-3 col-xs-6 col-middle"> <div id="footer-contact"> <h2 class="h4">Contact us</h2> <p><a href="mailto:research@apnic.net">research@apnic.net</a><br/>Tel: +61 7 3858 3188</p> </div> </div> <div class="col-sm-4 text-right col-right"> <ul class="list-inline"> <li><a href="//www.youtube.com/user/apnicmultimedia"><img src="//labs.apnic.net/template-files/social-media/32/youtube.png" width="25" alt="YouTube" title="YouTube"/></a></li><li><a href="//www.flickr.com/photos/apnictraining/"><img src="//labs.apnic.net/template-files/social-media/32/flickr.png" width="25" alt="Flickr" title="Flickr"/></a></li><li><a href="//www.facebook.com/APNIC"><img src="//labs.apnic.net/template-files/social-media/32/facebook.png" width="25" alt="Facebook" title="Facebook"/></a></li><li><a href="//twitter.com/apnic"><img src="//labs.apnic.net/template-files/social-media/32/twitter.png" width="25" alt="Twitter" title="Twitter"/></a></li><li><a href="//www.linkedin.com/company/apnic"><img src="//labs.apnic.net/template-files/social-media/32/linkedin.png" width="25" alt="LinkedIn" title="LinkedIn"/></a> </li><li><a href="https://www.apnic.net/apnic-info/rss/apnic-news"><img src="https://labs.apnic.net/template-files/social-media/32/rss.png" width="25" alt="RSS" title="RSS"/></a></li> </ul> <div id="footer-copyright"> <p class="text-right">© 2015 APNIC | <a href="https://www.apnic.net/apnic-info/privacy">Privacy</a></p> </div> </div> </div> </div> </div> </div>  </div> </body> </html>