When I first saw the ICANN TLD DNSSEC Report which, at the time, had no diagram on it, I wanted to make a diagram showing the progress of DNSSEC-signing in the Top-Level Domains (TLD). The result (well, it’s second iteration), is what I call the Graphic DNSSEC in the TLDs Report. (Have a look at it before reading on.)

Let me tell you about how I did that.

Presenting the data

If you query the DNS for a TXT Resource Record at the domain tldstats.jpmens.net, you’ll see the following:

dig tldstats.jpmens.net txt

tldstats.jpmens.net.	3600	IN	TXT	"{\"signed\":75,\"updated\":\"2011-06-10T12:14:31Z\",\"about\":\"http://mens.de/:/gdr\",\"dlv\":4,\"unsigned\":235,\"total\":310,\"dsroot\":70}"

The single TXT record contains a JSON string as its data. (It looks a bit funny with all those escaped quotes, but that’s the way it is stored in the DNS.) The unescaped and reformatted JSON string looks like this:

   "signed" : 75,
   "updated" : "2011-06-10T12:14:31Z",
   "about" : "http://mens.de/:/gdr",
   "dlv" : 4,
   "unsigned" : 235,
   "total" : 310,
   "dsroot" : 70

The values have the following meanings:

  • signed means the TLD has at least one DNSKEY record in it.
  • dlv means a record for the TLD was found in the ISC DLV Registry.
  • dsroot signifies a DS record for the TLD was found in the DNS root zone.
  • unsigned means that no DNSKEY, DS, or DLV records where found for the domain.
  • total is the total number of TLDs in the IANA Registry.

The Graphic DNSSEC in the TLDs Report page uses jQuery to get the data (from the DNS), re-formats it a bit, and presents it dynamically on the page using Flot.

Obtaining and storing the data

The values you saw above are obtained from two sources:

  • The list of TLDs is retrieved via HTTP from the IANA Registry.
  • The other values are obtained directly via the DNS.

Obtaining data

Putting it all together takes about half a minute (with a warm DNS cache), and I then update the DNS using a signed update.

That just about covers it.