The M11 metrics analyze the deployment of DNSSEC in top level domains (TLD) and in second level domains (SLD). We want to measure not only the global deployment rate, as in "X% of zones in category Y deploy DNSSEC", but also the algorithms used for signing the zone, as in "Z% of "zones in category Y deploy DNSSEC using RSA/SHA1". For TLDs, we have observed that deployment rates and deployed algorithms are different for For SLDs, we ave observed that the deployment rate and the choice of algorithms that the answer varies depending on which domains are considered. We extract from the "majestic million" list a set of five categories:
To estimate the deployment rate for small domains not in the majectic million list, we analyze the domains listed in the COM Zone. This give us a total of eight metric categories, identified as:
Submetric | Category |
---|---|
M11.1 | gTLDs, |
M11.2 | ccTLDs, |
M11.1 | Top 100 domains, |
M11.2 | Domains 101 to 1,000, |
M11.3 | Domains 1,001 to 10,000, |
M11.4 | Domains 10,001 to 100,000, |
M11.5 | Domains 100,001 to 1M. |
M11.6 | Domains in COM zone |
In each of these categories, we try to check whether there is a DS record for the zone corresponding to the domain name, and if there is one we retrieve the DNSSEC algorithm number (https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml). If there are several DS records for a zone, we look at the list of algorithm numbers mentioned, and we there are N different algorithm numbers we assign to each of them a weight 1/N.
The computation process is different for each of the categories: for the TLDs, we simply count all TLDs and all DS records for these TLDs in the root zone. For the other domains, we proceed by statistical sampling, sampling several hundred thousand domains in total.