When I first saw the ICANN TLD DNSSEC Report which, at the time, had no diagram on it, I wanted to make a diagram showing the progress of DNSSEC-signing in the Top-Level Domains (TLD). The result (well, it’s second iteration), is what I call the Graphic DNSSEC in the TLDs Report. (Have a look at it before reading on.)
Let me tell you about how I did that.
Presenting the data
If you query the DNS for a
TXT Resource Record at the domain
tldstats.jpmens.net, you’ll see the following:
The single TXT record contains a JSON string as its data. (It looks a bit funny with all those escaped quotes, but that’s the way it is stored in the DNS.) The unescaped and reformatted JSON string looks like this:
The values have the following meanings:
- signed means the TLD has at least one DNSKEY record in it.
- dlv means a record for the TLD was found in the ISC DLV Registry.
- dsroot signifies a DS record for the TLD was found in the DNS root zone.
- unsigned means that no DNSKEY, DS, or DLV records where found for the domain.
- total is the total number of TLDs in the IANA Registry.
Obtaining and storing the data
The values you saw above are obtained from two sources:
- The list of TLDs is retrieved via HTTP from the IANA Registry.
- The other values are obtained directly via the DNS.
Putting it all together takes about half a minute (with a warm DNS cache), and I then update the DNS using a signed update.
That just about covers it.