Some DNSSEC / NSEC Experiments Starting at the Root Zone
Introduction I was recently playing around with DNSSEC and figured out that the root DNS zone . uses NSEC and not NSEC3 to prove the absence of a resource record. This looked interesting to me and triggered some ideas. So I did some experiments and here are the results. TL;Dr: The most interesting facts: The root DNS zone uses NSEC can be therefore be DNSSEC zone walked There are more than 1500 TLDs More than 90% of all TLDs haven DNSSEC configured The most used algorithm for signing DNS zones is RSA/SHA-256 53 TLDs also use NSEC and can therefore also be DNSSEC zone walked Note: The results may not be exactly accurate because it was not always verified if every query was always successful. ...