from 29 September 2017 to 3 October 2017
Fairmont San Jose
US/Pacific timezone
Home > Timetable > Session details > Contribution details

Contribution Standard Presentation

Fairmont San Jose - Regency 2 Ballroom
Public Workshop

Quantifying the Quality of DNSSEC Validation in the Wild


  • Mr. Moritz MÜLLER

Primary authors


The Root Canary Project has the goal to monitor and measure the rollover of the DNSSEC root KSK. In this project we use over 9000 RIPE Atlas probes and ten-thousands of vantage point of the Luminati VPN network to continuously monitor recursive resolvers during the 9 months period of the rollover.

From each vantage point we query for testing domains that have bogus and valid signatures of the 12 DNSSEC algorithms that are standardized by the IETF. Thereby we can measure how recursive resolvers behave, for example, when the new KSK of the root becomes active.

Additionally, we gain operational insights into the behavior of recursive resolvers in the wild that go beyond the root KSK rollover. For example, we now know that the majority of the observed validating resolvers are stable and that some resolver implementations have incorrect behavior when they encounter certain DNSSEC algorithms.

In this presentation we want dig deeper in the support of DNSSEC algorithms and want to show how well recursive resolvers in the wild support the different signing algorithms, try to explain why some fail, and compare these results with the actual deployment of DNSSEC in major gTLDs and ccTLDs. Until the 27th DNS-OARC workshop, we will have over 3 months of continuous measurements at our disposal.

We want to invite the community to provide feedback to our measurements and help us to improve our ground truth data set. Therefore we want to introduce a small tool with which operators can contribute to the Root Canary Project and to studies like the one presented.


In this presentation we want to show how recursive resolvers in the wild support the wide range of different DNSSEC algorithms. We want to discuss how well new algorithms are supported, how stable resolvers validate over time, and compare our results with the deployment of DNSSEC in different TLDs. This study is based on the Root Canary Project and we would also like to invite operators to provide feedback and ground truth data to our measurements.

Talk Duration

30 Minutes