When I first saw the ICANN TLD DNSSEC Report which, at the time, had no diagram on it, I wanted to make a diagram showing the progress of DNSSEC-signing in the Top-Level Domains (TLD). The result (well, it’s second iteration), is what I call the Graphic DNSSEC in the TLDs Report. (Have a look at it before reading on.)
Let me tell you about how I did that.
Presenting the data
If you query the DNS for a TXT
Resource Record at the domain
tldstats.jpmens.net
, you’ll see the following:
dig tldstats.jpmens.net txt
;; ANSWER SECTION:
tldstats.jpmens.net. 3600 IN TXT "{\"signed\":75,\"updated\":\"2011-06-10T12:14:31Z\",\"about\":\"http://mens.de/:/gdr\",\"dlv\":4,\"unsigned\":235,\"total\":310,\"dsroot\":70}"
The single TXT record contains a JSON string as its data. (It looks a bit funny with all those escaped quotes, but that’s the way it is stored in the DNS.) The unescaped and reformatted JSON string looks like this:
{
"signed" : 75,
"updated" : "2011-06-10T12:14:31Z",
"about" : "http://mens.de/:/gdr",
"dlv" : 4,
"unsigned" : 235,
"total" : 310,
"dsroot" : 70
}
The values have the following meanings:
- signed means the TLD has at least one DNSKEY record in it.
- dlv means a record for the TLD was found in the ISC DLV Registry.
- dsroot signifies a DS record for the TLD was found in the DNS root zone.
- unsigned means that no DNSKEY, DS, or DLV records where found for the domain.
- total is the total number of TLDs in the IANA Registry.
The Graphic DNSSEC in the TLDs Report page uses jQuery to get the data (from the DNS), re-formats it a bit, and presents it dynamically on the page using Flot.
Obtaining and storing the data
The values you saw above are obtained from two sources:
- The list of TLDs is retrieved via HTTP from the IANA Registry.
- The other values are obtained directly via the DNS.
Putting it all together takes about half a minute (with a warm DNS cache), and I then update the DNS using a signed update.
That just about covers it.