Mal ein paar DNSSec Statistiken

Mal ein paar DNSSec Statistiken
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Mal ein paar DNSSec Statistiken Lutz Donnerhacke 05-07-2007
Posted by Lutz Donnerhacke on June 11, 2007, 4:44 am
If you were  Registered and logged in, you could reply and use other advanced thread options
* Lutz Donnerhacke wrote:
> Overview of 1419 signed zones:
> 709 -5 Entry Point
> 10 -1 broken chain
> 279 +44 chained
> 0 -26 new
> 421 -73 unreachable

cc-TLD BR is signed now.

Posted by Lutz Donnerhacke on August 1, 2007, 11:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Overview of 1033 signed zones:
695 -14 Entry Point
10 broken chain
279 chained
0 new
49 -372 unreachable

Top 10 autonomous systems injecting DNSSec zones:
439 -1 AS15725
70 AS3333
69 AS3245
68 AS3557
29 -1 AS25537
26 -1 AS24776
23 AS39570
20 +1 AS22548
17 AS36810
17 AS10466

Top 10 TLD containing DNSSec zones:
242 +1 ARPA
217 -2 DE
145 -59 COM
70 SE
69 -1 BG
52 -10 ORG
44 -7 NET
29 -2 RU
22 +22 BR
21 -5 INFO

191 (-21) weak keys:
Top 10 autonomous systems injecting weak keys:
29 -1 AS25537
26 AS24776
13 AS3216
13 +1 AS29632
12 AS7132
7 AS20943
5 AS8228
5 AS8683
4 +4 AS12859
4 +4 AS6197

10 broken DS chains:
17.32.198.in-addr.arpa, 42.32.198.in-addr.arpa, wesh.netsec.tislabs.com
badds.dnssec.jp, hostcount.ripe.net, k.ripe.net, ris.ripe.net, bitstring.se
xn--ihrn-dpa.se, xn--lda-ula.xn--ihrn-dpa.se

31 (+3) parent DS to unsigned zones:
157.110.193.in-addr.arpa, 228.111.193.in-addr.arpa, 98.227.193.in-addr.arpa
128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa, 130.111.89.in-addr.arpa
131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa, 133.111.89.in-addr.arpa
134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa, 136.111.89.in-addr.arpa
137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa, 139.111.89.in-addr.arpa
140.111.89.in-addr.arpa, demo.netsec.tislabs.com, isles.netsec.tislabs.com
lindy.netsec.tislabs.com, mike.netsec.tislabs.com
robert.wesh.netsec.tislabs.com, orange.dnssec.jp, segdns.test.mx
ldap.trstech.net, subsigned.signed.telin.nl, hogskolaniboras.se
klan-csa.se, kristianstadpower.se, nl-dnssectest.se, umdac.se, webro.se

15 (-2) unnecessary islands:
64-26.0.149.193.in-addr.arpa, 0.68.193.in-addr.arpa
241.75.217.in-addr.arpa, pixaco.com.br, badnxt.dnssec.jp
nods-ns.test.dnssec-tools.org, autonomica.se, cafax.se, echo-lan.se
hooden.se, nning.se, shinkuro.se, skabb.se, staver.se, zkt.se

49 (-372) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
12 +8 AS5537
8 -370 AS3265
4 +3 AS23342
2 +2 AS8608
2 +1 AS39570
1 +1 AS2833
1 +1 AS14744
1 +1 AS4436
1 +1 AS546
1 +1 AS40966


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

Posted by Lutz Donnerhacke on August 1, 2007, 11:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
* Lutz Donnerhacke wrote:
> Overview of 1033 signed zones:
> 49 -372 unreachable
>
> 49 (-372) unreachable zones:
> Top 10 autonomous systems containing unreachable zones:
> 8 -370 AS3265

AS3265 failed to upgrade their software for DNSSEC.

Posted by Lutz Donnerhacke on August 31, 2007, 6:48 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Overview of 11627 signed zones:
1499 +804 Entry Point
9618 +9618 Test
6 -4 broken chain
405 +126 chained
0 new
99 +50 unreachable

Top 10 autonomous systems injecting DNSSec zones:
783 +754 AS25537
461 +22 AS15725
125 +57 AS3557
77 +7 AS3333
70 +50 AS22548
69 AS3245
45 +19 AS24776
28 +5 AS39570
19 +5 AS559
18 +5 AS3216

Top 10 TLD containing DNSSec zones:
783 +754 RU
274 +32 ARPA
232 +15 DE
147 +2 COM
100 +48 ORG
88 +18 SE
84 +62 BR
69 BG
48 +4 NET
38 +38 FR

950 (+759) weak keys:
Top 10 autonomous systems injecting weak keys:
753 +724 AS25537
45 +19 AS24776
18 +5 AS3216
16 +11 AS8228
13 AS29632
9 -3 AS7132
8 +1 AS20943
4 +4 AS29344
4 AS12859
3 +3 AS2119

6 (-4) broken DS chains:
17.32.198.in-addr.arpa, 42.32.198.in-addr.arpa, iana.icann.root.zx.com
bitstring.se, xn--ihrn-dpa.se, xn--lda-ula.xn--ihrn-dpa.se

24 (-7) parent DS to unsigned zones:
157.110.193.in-addr.arpa, 228.111.193.in-addr.arpa, 98.227.193.in-addr.arpa
128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa, 130.111.89.in-addr.arpa
131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa, 133.111.89.in-addr.arpa
134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa, 136.111.89.in-addr.arpa
137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa, 139.111.89.in-addr.arpa
140.111.89.in-addr.arpa, ldap.trstech.net, hogskolaniboras.se, klan-csa.se
kristianstadpower.se, nl-dnssectest.se, umdac.se, webro.se, xelerance.se

26 (+11) unnecessary islands:
64-26.0.149.193.in-addr.arpa, 0.68.193.in-addr.arpa, 4.32.198.in-addr.arpa
178.25.217.in-addr.arpa, 241.75.217.in-addr.arpa
4.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 5.2.0.0.1.6.0.1.0.0.2.ip6.arpa
6.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.2.0.0.1.6.0.1.0.0.2.ip6.arpa
3.1.6.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.f.3.0.8.3.8.0.1.0.0.2.ip6.arpa
1.0.0.0.e.4.7.c.3.6.8.d.2.0.0.2.ip6.arpa, pixaco.com.br, dlv.switch.ch
dnssec.switch.ch, sub.jelte.nlnetlabs.nl, ipv6.stack.nl, ddns.klubkev.org
autonomica.se, cafax.se, echo-lan.se, nning.se, shinkuro.se, skabb.se
staver.se, zkt.se

99 (+50) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
30 +29 AS25537
12 AS5537
7 +6 AS15725
4 +4 AS6197
4 +2 AS39570
2 -6 AS3265
1 +1 AS22894
1 +1 AS15201
1 AS2833
1 +1 AS80


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

Posted by Lutz Donnerhacke on August 31, 2007, 6:59 am
If you were  Registered and logged in, you could reply and use other advanced thread options
* Lutz Donnerhacke wrote:
> Overview of 11627 signed zones:
> 1499 +804 Entry Point
> 9618 +9618 Test
> 6 -4 broken chain
> 405 +126 chained
> 0 new
> 99 +50 unreachable

I seperated testing enviroments from real deployment.
Testing zones are not further examined.

> Top 10 TLD containing DNSSec zones:
> 783 +754 RU
> 274 +32 ARPA
> 232 +15 DE
> 147 +2 COM
> 100 +48 ORG
> 88 +18 SE
> 84 +62 BR
> 69 BG
> 48 +4 NET
> 38 +38 FR

I got some information from the RU and the FR zone, so I could check those
zone more deeply.

Futhermore I checked the immediate IP neighbourhood of servers in signed
zones for other hosts assuming that the zones of those hosts are also
signed. This reveals a lot of new entries.

Finally I send e-mail about configuration errors or possible improvments to
the zonemasters of possibly errornous zones. Several of those configurations
where fixed.

--
Public production ready DNSSEC signed root at a.dnssec.thur.de, ...
. DS 47484 5 1 83BD0576C2EB42FA9E9B5B9FDD8000F2E1F30C5B
Lookaside zone for most effective DNSSEC deployment right now.
dnssec.iks-jena.de. DS 61533 5 1 CEF158A447EF2E65ACBDBDC068231E08A991A269

Similar ThreadsPosted
My personal DNSSEC key distribution November 27, 2007, 6:45 am

The site map in XML format XML site map

Contact Us | Privacy Policy