All about DNSSEC

.nl stats and data - SIDN Labs

https://stats.sidnlabs.nl/en/

DNS | DNSSEC | Dataset | IP | Network

Historic datasets (from 2014 onwards) for the .nl TLD. Datasets are available in JSON format.

Datasets cover information about:

  • DNS
    • Domain Names
    • Query Type
    • Response Codes
    • IPv6 Support
  • Resolvers
    • Location
    • Number of IP addresses
    • Validating Resolvers
    • Popular Networks
    • Port Randomness
  • DNSSEC
    • Validating Queries
    • DANE
    • Used Algorithms
  • Mail
    • Mail Resource Records (RRs)
    • SPF Information

APNIC Labs Stats

https://stats.labs.apnic.net/

Autonomous System | BGP | DNS | DNSSEC | Dataset | IP

APNIC gathers many statistics and offers them on their website. However, they provide way more data than it might initially look like, since many of the datasets are not linked from their main page.





DNS Quality/Overview Tools

DNS | DNSSEC | Dataset | Network | Tool

Check My DNS

Browser-based DNS resolver quality measurement tool. Uses the browser to generate many resolver queries and tests for features they should have, such as EDNS support, IPv6, QNAME Minimization, etc.

This test is also available as a CLI tool: https://github.com/DNS-OARC/cmdns-cli

DNSSEC Debugger

Analyze DNSSEC deployment for a zone and show errors in the configuration.

DNSViz

Gives an overview of DNSSEC delegations, response sizes, and name servers.

GitHub: https://github.com/dnsviz/dnsviz

DNS X-Ray

The website has an online test, which performs DNS lookups. These DNS lookups test if certain resource records are overwritten in the cache. The tool can then determine what DNS software is used, where the server is located, how many caches there are, etc.

EDNS Compliance Tester

Test name server of zones for correct EDNS support.

The Transitive Trust and DNS Dependency Graph Portal

Shows the trust dependencies in DNS. Given a domain name, it can show how zones delegate to each other and why. The delegation is done between IP addresses and zones.

Root Canary Project

The project used to monitor the first root KSK key rollover. Now it contains the paper "Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover" describing the experiences of the first root KSK rollover

Additionally, it includes a tester for DNSSEC algorithm support, which shows the algorithms supported by the currently used recursive resolver. It provides statistics about support for DNSSEC algorithms. It has a web-based test to test your own resolver and provides a live monitoring using the RIPE Atlas.

DNSSEC algorithms resolver test






ICANN Indentifier Technologies Health Indicators

https://ithi.research.icann.org/metrics.html

DNS | DNSSEC | Dataset | Network

ICANN tracks the general health of the DNS ecosystem and related ecosystems. The data is updated irregularly, but historic data is available. The collected data covers eight major topics:

  1. M1: inaccuracy of Whois Data
  2. M2: Domain Name Abuse
  3. M3: DNS Root Traffic Analysis
  4. M4: DNS Recursive Server Analysis
  5. M5: Recursive Resolver Integrity
  6. M6: IANA registries for DNS parameters
  7. M7: DNSSEC Deployment.
  8. M8: DNS Authoritative Servers Analysis

Each topic has too many sub categories to list here.



SIDN Labs DNS Workbench

https://workbench.sidnlabs.nl/

DNS | DNSSEC

The DNS workbench is a testbed which allows experimentation how different authoritative DNS servers answer to queries.

It covers five open-source authoritative servers, namely Bind9, Knot, NSD4, PowerDNS, and Yadifa. The workbench contains zones to test the support for many different resource record (RR) types, DNSSEC validation and how invalid zones are managed, delegations, zone transfers, and potentially more.

Find the project on GitHub.


Subdomain Enumeration by Bastian Kanbach

https://blog.apnic.net/2023/01/17/subdomain-enumeration-with-dnssec/

DNS | DNSSEC | Tutorial

The blog post about Subdomain Enumeration in the APNIC blog provides a great overview of the techniques, defenses, and tools for it. Subdomain enumeration is the act of learning available subdomains in a zone using DNSSEC. This is with NSEC records and somewhat harder with NSEC3, due to hashing of names. The blog goes explains how online signing can combat subdomain enumeration, using the white lies or the black lies strategies. Lastly, it links to tools for performing these attacks.