New DNSSEC charts on

In this blog post we introduce five new figures related to DNSSEC usage and security that we publish on our statistics page SIDN Labs, together with registrars, are encouraging the use of DNSSEC now for several years. Initiatives like the DNSSEC-validation monitor and user-friendly plugins that allow owners of websites to implement DNSSEC checks try to raise awareness. As a consequence, the .nl zone has an adoption of DNSSEC with over 40%.

DNSSEC Validation

DNSSEC related statistics, observed at our name servers and collected and analyzed with our ENTRADA platform, are already available on Now, we have added new charts that show the number of DNSSEC validating resolvers per autonomous system (AS).

We show, in which ASs validating DNSSEC resolvers are located and for how many monthly queries they are responsible. We assume that every resolver that queries at least 1.000 times per month for DS or DNSKEY and has the DO flag set is validating signatures. We chose this limit to rule out false classification of resolvers that send only a few DNSEEC related queries for testing purposes or that serve validating clients.

The first graph (Figure 1) shows the number of queries that we have received from validating resolvers, separated by the AS in which the resolver is located. We have observed queries from 38.964 ASs in November 2015. From those, we select 1.000 ASs from which we receive the most queries.

New DNSSEC charts Fig1

Figure 1: Share of queries that are sent from validating resolvers. The size of the boxes indicates the total number of queries. A blue colored cell indicates that we receive many queries from validating resolvers from this AS.

Figure 2 shows the same information, but now only for ASs that are assigned to organizations in the Netherlands.

New DNSSEC charts Fig2

Figure 2: Share of queries that are sent from validating resolvers from Dutch ASs.

The third graph shows the resolvers of the open resolver services of Google and OpenDNS.

New DNSSEC charts Fig3

Figure 3: Share of queries that are sent from validating resolvers from open Google and OpenDNS resolvers.

Note, that there are still many resolvers that do not validate DNSSEC signatures, despite the wide support of DNS software like BIND and Unbound.

In the Netherlands, DNSSEC validation is heterogeneous. Some ASs locate validating resolvers that are responsible for almost all of the received queries from this AS, whereas other ASs locate almost no validating resolvers. Both groups include ASs from large Dutch ISPs.As for open resolver services: Google has enabled validation on all of their resolvers. In comparison, we were not able to identify validating resolvers of OpenDNS.

Port randomization

Although, the graph in Figure 4 does not show DNSSEC validating resolvers, it is still closely related to DNS security. DNSSEC was introduced to fight, among others, DNS spoofing attacks. Port randomization is another countermeasure to make spoofing attacks harder.

We show, how many resolvers still use a small number of ports when sending DNS requests to our name servers. We measure this by calculating the daily standard deviation of the port numbers for each resolver as described here. We can calculate the standard deviation fast and easy and it gives us a rough estimation of the randomness of the used ports. We can see, that the majority of resolvers use a reasonably wide range of ports. However, some resolvers still use only a very limited range of ports to query our name servers. Looking at the number of received queries indicates, that especially small resolvers seem to have this issue.

New DNSSEC charts Fig4

Figure 4: Share of resolvers that have a high, medium and low degree of port randomness.

In the last chart (Figure 5) we show how many resolvers, which use a small range of ports to send us queries, are located in the Netherlands. Additionally, we show in which AS these resolvers are located.

New DNSSEC charts Fig5

Figure 5: The number of unsecure resolvers that are located in Dutch ASs.

Now, readers might ask themselves: “If only a few resolvers have a weak source port randomness, what do we need DNSSEC for?”.

Well, first, a random source port does not make a DNS cache poising attack impossible for an attacker but only decrease the chance of a successful attack. DNSSEC adds additional security.

Second, a random selection of source ports does not protect against attackers that are able to carry out a Man-in-the-Middle attack.

Third, DNSSEC does not only provide authentication and integrity between a recursive resolver and an authoritative name server but also between the stub resolver of the client and the authoritative name server. However, therefore it is necessary, that the stub resolver is validating as well.

Last, DNSSEC enables the DANE protocol to improve the security of TLS connections.

For those reasons, among others, DNSSEC is an important extension to DNS and we promote its deployment.

Data sharing

As usual, we publish the raw data in JSON format on our website and we invite other researchers and organizations to give us feedback on how to improve our charts. Also, please let us know if you are missing any kind of information.



Moritz Müller

Research engineer

+31 26 352 55 00

  • maandag 25 februari 2019


    Een nieuwe carrière als programmeur voor statushouders


    HackYourFuture biedt vluchtelingen de tools om toe te treden tot de arbeidsmarkt

    Lees meer
  • woensdag 6 februari 2019


    Google Chrome waarschuwt gebruikers voor typodomeinnamen


    Valse url’s herkennen is lastig

    Lees meer
  • donderdag 1 november 2018


    Nieuwe CEO Connectis


    Per 1 november start Remco Coenen

    Lees meer


De versie van de browser die je gebruikt is verouderd en wordt niet ondersteund.
Upgrade je browser om de website optimaal te gebruiken.