The results of the 2010 DNS Survey come out this week. I know you've all been waiting with bated breath, so heres a summary of some of what I thought were the most interesting results:
We again examined a random sample of subzones of the Big Three gTLDs, .COM, .NET and .ORG. As in previous surveys, we looked for DNSSEC resource records that would tell us whether these subzones were signed.
The percentage of signed subzones jumped dramatically, by 340%. But as in previous years survey's, the absolute percentage remains stubbornly low, just .022% of our sample. Perhaps this isn't that surprising, given that .ORG is the only gTLD of the three that's signed, and it was only signed this year. The impending signing of .NET (later this week!) and .COM (early next year) will make it more valuable for administrators in these gTLDs to sign their zones.
For the first time, we tried validating data inthe signed subzones we found. Ahefty proportion failed validation because their signatures had expired, likely an indication that these zones were signed as a sort of science experimentand then abandoned, or evidence that administrative processes have broken down.
We also looked at how many name servers in a random sample supported TCP-based queries and EDNS0, an extension to DNS that allows transmission of larger UDP-based DNS messages. Both are necessary to support DNSSEC. 81.4% of the name servers we found supported TCP-based queries, but only 73.6% supported EDNS0. Many of the name servers that wouldn't answer our TCP-based queries were probably sitting behind firewalls that wouldn't pass those queries, a situation that could be remedied with a simple firewall rule change. But the nameservers that didn't speak EDNS0 would almost certainly require an upgrade.
Overall, I think these results are cause for concern. DNSSEC isn't catching on organically as quickly as we'd like, and many name servers simply aren't capable of supporting it. 2011 will be a pivotal yearfor DNSSEC: With the root zone signed, as well as .COM, .NET and .ORG, most administrators will have no good excuse for not signing their zones.