Historic datasets (from 2014 onwards) for the .nl TLD. Datasets are available in JSON format.
Datasets cover information about:
APNIC gathers many statistics and offers them on their website. However, they provide way more data than it might initially look like, since many of the datasets are not linked from their main page.
Contains lists for DNS servers, libraries, tools, and other resources.
List of maintained and unmaintained DNS servers, including descriptions for each of them.
Short overview of open-source projects for authoritative and recursive servers and development libraries.
https://www.knot-dns.cz/benchmark/
DNS | DNSSEC | DatasetThe website is an ongoing project by Knot DNS to measure the performance of various DNS servers. Four open-source servers are tested, namely BIND, Knot DNS, NSD, and PowerDNS. The benchmark includes different zone configurations matching to root zones, TLD zones, or hosting zones as well as different DNSSEC configurations.
The DNS Privacy Project aims to improve privacy for users on the Internet.
The project is split into different groups working on DNS privacy:
The project focuses mostly on DNS over TLS. They provide overviews for the implementation status, configuration for test servers, and ongoing server monitoring, which features they provide.
Browser-based DNS resolver quality measurement tool. Uses the browser to generate many resolver queries and tests for features they should have, such as EDNS support, IPv6, QNAME Minimization, etc.
This test is also available as a CLI tool: https://github.com/DNS-OARC/cmdns-cli
Analyze DNSSEC deployment for a zone and show errors in the configuration.
Gives an overview of DNSSEC delegations, response sizes, and name servers.
GitHub: https://github.com/dnsviz/dnsviz
The website has an online test, which performs DNS lookups. These DNS lookups test if certain resource records are overwritten in the cache. The tool can then determine what DNS software is used, where the server is located, how many caches there are, etc.
Test name server of zones for correct EDNS support.
Shows the trust dependencies in DNS. Given a domain name, it can show how zones delegate to each other and why. The delegation is done between IP addresses and zones.
The project used to monitor the first root KSK key rollover. Now it contains the paper "Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover" describing the experiences of the first root KSK rollover
Additionally, it includes a tester for DNSSEC algorithm support, which shows the algorithms supported by the currently used recursive resolver. It provides statistics about support for DNSSEC algorithms. It has a web-based test to test your own resolver and provides a live monitoring using the RIPE Atlas.
https://www.internetsociety.org/deploy360/dnssec/maps/
DNS | DNSSEC | Dataset | NetworkThe Internet Society published maps showing the distribution of IPv6 support worldwide. The maps are available also with historic data, but are only updated sporadically. More current maps and CSV files are available on the mailing list.
https://rick.eng.br/dnssecstat/
DNS | DNSSEC | Dataset | NetworkRegularly updated reports about the current DNSSEC deployment. Contains information per TLD and global distribution.
The website keeps track of all DNSSEC keys in the top-level domains (TLDs) and informs when the signatures are about to expire. The time before some RRSIGs expire is color coded. It also shows error which happened during validation.
https://powerdns.org/hello-dns/
DNS | DNSSEC | TutorialHello DNS is a project to write an easy to read/understand summary of the DNS specification. It provides an entry point to understand DNS given that the full DNS specification is easily 2000 pages in size.
https://ithi.research.icann.org/metrics.html
DNS | DNSSEC | Dataset | NetworkICANN tracks the general health of the DNS ecosystem and related ecosystems. The data is updated irregularly, but historic data is available. The collected data covers eight major topics:
Each topic has too many sub categories to list here.
https://ianix.com/pub/dnssec-outages.html
DNS | DNSSEC | DatasetThe website collects major outages caused by broken DNSSEC deployments in the wild. It tracks root and TLD errors and some selected websites. Each outage is timestamped and has some description about the problem. The entries contain information from the VeriSign DNSSEC debugger and DNSViz.
https://workbench.sidnlabs.nl/
DNS | DNSSECThe DNS workbench is a testbed which allows experimentation how different authoritative DNS servers answer to queries.
It covers five open-source authoritative servers, namely Bind9, Knot, NSD4, PowerDNS, and Yadifa. The workbench contains zones to test the support for many different resource record (RR) types, DNSSEC validation and how invalid zones are managed, delegations, zone transfers, and potentially more.
https://blog.apnic.net/2023/01/17/subdomain-enumeration-with-dnssec/
DNS | DNSSEC | TutorialThe blog post about Subdomain Enumeration in the APNIC blog provides a great overview of the techniques, defenses, and tools for it. Subdomain enumeration is the act of learning available subdomains in a zone using DNSSEC. This is with NSEC records and somewhat harder with NSEC3, due to hashing of names. The blog goes explains how online signing can combat subdomain enumeration, using the white lies or the black lies strategies. Lastly, it links to tools for performing these attacks.
https://observatory.research.icann.org/tld-apex-history/
DNS | DNSSEC | Dataset | IP | NetworkThe TLD Apex History is an ICANN project to gather DNSSEC related records for all TLDs.
Further information about the project can be found in this presentation.
https://dnsthought.nlnetlabs.nl/
DNS | DNSSEC | Dataset | NetworkDnsthought lists many statistics about the resolvers visible to the .nl-authoritative name servers. The data is gathered from the RIPE Atlas probes. There is a dashboard which only works partially.
Raw data access is also available.