[AusNOG] What's even less popular than IPv6? DNSSEC!
Mark Andrews
marka at isc.org
Wed May 25 09:08:42 EST 2016
In message <aa47e0d3-9fed-84a2-63d0-7e0e63193d11 at mrp.net>, Mark Prior writes:
> On 24/05/2016 22:42, Chris Jones wrote:
> >
> >> On 24 May 2016, at 9:20 PM, Mark Prior <mrp at mrp.net> wrote:
> >>
> >> I've added a test for DNSSEC deployment to my existing IPv6 survey and
> >> it's not pretty. Looking at the section that lists the organisations
> >> that attended AusNOG2 shows no organisations (aside from me) using
> >> DNSSEC on their domain and other sections are just as bare.
> >>
> >> <http://www.mrp.net/ipv6_survey/#ausnog>
> >>
> >> The obvious question is why isn't DNSSEC being deployed?
> >
> > Weve had trouble with registrars and DNSSEC support. A bunch (*
> non-scientific research here) of them simply dont support it, or support
> it via manual processes.
> >
> > You thought ipv6 glue records were a pain, try getting DS records
> rotated...
> >
> I haven't tried rotating the DS records but I've used both Gandi and
> GoDaddy and they've been relatively painless system to install the DS.
>
> My survey page identifies sites that have signed elements within their
> zone but not completed the chain of trust (tagged as TRUST), which you
> could do without dealing with your parent zone, and that doesn't show
> much activity.
DNS as a whole is poorly supported. Lot of absolutely non RFC complaint
garbage being used today. From my EDNS compliance checking results.
Of servers that responded at all:
6747 of 6779 (99.53%) responded to a EDNS version 0 query
6728 of 6779 (99.25%) responded to a EDNS unknown option
6687 of 6779 (98.64%) responded to a EDNS unknown flags
4889 of 6779 (72.12%) responded to a EDNS version 1 query
4883 of 6779 (72.03%) responded to a EDNS unknown version and option
6613 of 6779 (97.55%) of nameservers support EDNS
3756 of 6613 (56.80%) EDNS capable servers are all ok
4216 of 6613 (63.75%) EDNS capable servers support unknown EDNS versions
6106 of 6613 (92.33%) EDNS capable servers support unknown EDNS options
6273 of 6613 (94.86%) EDNS capable servers support unknown EDNS flags
3935 of 6613 (59.50%) EDNS capable servers support unknown EDNS version and options
6561 of 6613 (99.21%) EDNS capable servers support DO=1
3007 of 6613 (45.47%) EDNS capable servers return a NSID option
311 of 6613 (4.70%) EDNS capable servers return a EXPIRE option
2815 of 6613 (42.57%) EDNS capable servers return a SUBNET option
8 of 6613 (0.12%) EDNS capable servers return a Server EDNS COOKIE option
https://ednscomp.isc.org/compliance/au-report.html
> Mark.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the AusNOG
mailing list