DNS Security Extensions (DNSSEC) were introduced nearly two decades ago to provide integrity and authenticity of DNS messages. There have been some studies focusing on how DNSSEC has been deployed over years using active scans, which commonly reported pervasive mismanagement such as missing DS records.
From the domain administrator perspective, however, it is hard to understand what makes it really challenging to deploy and "manage" DNSSEC, or to fix errors; for example, answering the question of "how long do usually take for DNS administrators to resolve a specific DNSSEC error?" is nontrivial.
To shed a light on these questions, we leverage DNSVIZ (dnsviz.net), which is one of the most extensive and popular tools for debugging DNSSEC errors. It helps domain name owners and others help understand the current DNSSEC status of a domain name and diagnoses the problem if exists.
With 7 years of DNSViz dataset that contain DNS debugging histories of domains, we would like to share our preliminary findings.