You are here: Home > Publications > RIPE Labs > Daniel Karrenberg > DNS Clients Do Request DNSSEC Today

DNS Clients Do Request DNSSEC Today

Daniel Karrenberg — Sep 2010
After the DNS root zone was finally signed and a number of TLDs began signing their zones, we were curious to see how many clients actually request DNSSEC information. First we looked at our server that provides secondary service to several ccTLDs.

This server answers some 5000 queries per second on average. Here is the percentage of those queries that requested DNSSEC information in August 2010:

Figure 1: Queries with DNSSEC OK bit set

More than 50% of all queries request DNSSEC information from this server. This is quite encouraging. However, we do not know what the clients do with this information when they receive it.

We noticed a weekly pattern in the graph and investigated a little. Comparing this pattern to the query type looked promising:

Query type breakdown for August 2010

Figure 2: Queries by QType


It seems that the number of queries for mail servers (MX record queries) has a similar pattern. Looking at queries for MX records only confirms this:

Query type breakdown for August 2010

Figure 3: Queries for MX Records


On weekends we see relatively more queries for MX records and relatively fewer requests for DNSSEC information. Whether these MX queries are those that do not request DNSSEC information needs further investigation. However from my personal experience of receiving more SPAM during the weekend than during the week there certainly are a few hypotheses we could investigate here ....

Let us complete the picture with data from some other RIPE NCC servers. Queries arriving at servers for reverse DNS zones show a similar picture with a slightly different pattern:

Percentage of queries with DO bit at rDNS servers

Figure 4: Reverse DNS zone queries with DNSSEC OK bit set

Still about 50% of all queries request DNSSEC information but the patterns are reversed and not quite weekly. Interesting ...

Looking at the picture is a little less constant:

Percentage of queries at K-root with DO bit set

Figure 5: Queries with DNSSEC OK bit set as seen on


Again some weekly patterns and normally more than 50%. Root name servers receive more 'anomalous' queries than other servers, a phenomenon often referred to as 'junk'. These queries often arrive at a very high rate and constitute a large percentage of the total load. Consequently a few sources or types of junk queries can influence measurements like this in a big way. The three large dips in this graph, for example, are caused by a high volume of non-EDNS0 queries with a single source address.

In conclusion we can say that the servers we operate consistently receive requests for DNSSEC information with more than half of the queries they answer. That is encouraging.




Anonymous says:
06 Sep, 2010 05:14 PM
Just looking at the "DO-bit" tells very little about the amount of resolvers that actually validate, as you already indicated, especially since it is the default of BIND for quite some time.[…]/msg00058.html

Anonymous says:
30 Sep, 2010 12:22 AM
i concur and would like to add that a client in the scope of a DNS Root nameserver usually is a recursive nameserver acting on an endusers behalf, even if DNSSEC information is passed on to say a Desktop OS it does not mean that this information will actually be evaluated.
Anonymous says:
30 Sep, 2010 01:29 PM
Of course you are both right. We want to look at the actual DNSSEC queries in a later study. But seeing that more than half of the resolvers are requesting the info is noteworthy by itself.
Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.