The "Forgotten Half" of DNSDB: DNSDB's DNSSEC Coverage

I. Introduction

In 2008, network researcher Dan Kaminsky announced a DNS vulnerability that would let any determined attacker, for the cost of about 10 minutes of packet bombing, insert data into the DNS such that any victim could be made to see whatever an attacker wanted them to see. The industry went berserk, and many workarounds were proposed, and some were deployed. But the only real fix was Secure DNS, also called DNSSEC, and the Kaminsky demonstration helped both the US Government and the Internet governance community including ICANN — the Internet Corporation for Assigned Names and Numbers — finally justify the global risks and costs of deploying DNSSEC in the DNS Root Zone, which was the final gate for universal DNSSEC deployment.

In the decade since then, many ISP’s began to verify all DNS answers they received using DNSSEC where possible, and many OSP’s began to digitally sign all the DNS answers they published. DNS registries and registrars all over the world invested thousands of hours of time and tens of thousands of dollars in capital and expense in order to support this new digital signature and verification regime. It has been a hard road and characterized by many potholes and more than a few broken axles. However, DNSSEC is a real thing now, and is trending inexorably toward universal deployment. This means Farsight DNSDB has observed and stored a lot of DNSSEC records, but for reasons of history and expediency, we don’t display them by default.

In this blog article, we will try to explain what DNSSEC records are, when they’ll exist, what is the significance of them not existing when they ought to, how to ask for them, and how to interpret them. As with all digital cryptography and especially the kind of digital cryptography present in a distributed system like the DNS or the Internet itself, this topic may at first appear to be very dry. We like to think the reverse is true, and that endless rewards await those patient enough and diligent enough to follow this story through to its conclusions in operational security.

II. Doing DNSSEC

In order for DNSSEC protection to be realized, two things need to occur:

(a) DNS zone administrators need to cryptographically sign the relevant DNS zones

AND

(b) Recursive resolver operators need to configure their resolvers to verify those signatures when they’re present.

From a user’s perspective, DNSSEC processing happens transparently in the background. In fact, many users (including users of Google’s 8.8.8.8 public resolvers[1] and Comcast/Xfinity’s broadband customers[2], just to mention two prominent examples), are protected by DNSSEC even though they may have no idea that this is even happening.

That said, if we want to, we can explicitly manually confirm that a DNSSEC-signed domain name validates correctly using the delv command.

Let’s begin by checking www.farsightsecurity.com. That’s a DNSSEC-signed name that will validate correctly:

Figure 1. Successful DNSSEC validation of www.farsightsecurity.com

$ delv www.farsightsecurity.com
; fully validated
www.farsightsecurity.com. 3600 IN A 104.244.13.104
www.farsightsecurity.com. 3600 IN RRSIG A 5 3 3600 [etc]

While DNSSEC-signed domains typically validate fine, that’s not always the case. We can see an example of this associated with an intentionally mis-signed test domain:

Figure 2. Test of an intentionally mis-signed domain test point

$ delv dnssec-failed.org
;; resolution failed: SERVFAIL

Note the intentional DNNSEC failure mode: if the DNSSEC crypto isn’t absolutely right, SERVFAIL is signaled and the domain doesn’t resolve.

DNSSEC can also provide proof of non-existence, as seen if we attempt to resolve a non-existent domain:

Figure 3. Proof of non-existence (for a random domain name that doesn’t exist)

$ delv asaksasasaadddd.com
;; resolution failed: ncache nxdomain
; negative response, fully validated
[additional details elided here]

Another DNSSEC possibility is that you may see a mix of signed and non-signed answers, as is the case for this (signed) CNAME pointing at an (unsigned) name at a Content Delivery Network (CDN):

Figure 4. Mixed response (signed CNAME pointing at an unsigned name)

$ delv www.upenn.edu
; fully validated
www.upenn.edu.		    300	IN	CNAME	www.upenn.edgekey.net.
www.upenn.edu.		    300	IN	RRSIG	CNAME 5 3 300 [etc]

; unsigned answer
www.upenn.edgekey.net.	14785	  IN	 CNAME e6192.f.akamaiedge.net.
e6192.f.akamaiedge.net.	20	  IN	  A	  246.38.98

Finally, let’s see what we’re shown if a domain exists, but is NOT DNSSEC-signed:

Figure 5. Unsigned Domain

$ delv bbc.co.uk
; unsigned answer
bbc.co.uk.		300	IN	A	151.101.0.81
bbc.co.uk.		300	IN	A	151.101.64.81
bbc.co.uk.		300	IN	A	151.101.128.81
bbc.co.uk.		300	IN	A	151.101.192.81

All of the above is as we’d expect.

DNSSEC, like most cryptographic systems, insists upon “perfection:” either your DNSSEC configuration is absolutely correct, or it isn’t.

If it isn’t, your domain will experience an outage (appear to be “down”) when users attempt to access it from sites where DNSSEC validation is done.

The IANIX Major DNSSEC Outages and Validation Failures page is one site that tracks DNSSEC-related outages.

Let’s look at how DNSDB’s DNSSEC records can be used to confirm one of the outages listed there.

For example, let’s consider nepa.gov (a shortcut to the National Environmental Policy Act site. You can see what that site looks like now in Figure 6:

Figure 6. nepa.gov (at https://ceq.doe.gov/)

That site has been periodically analyzed by the DNSSEC checking site dnsviz.net, including on 5/25/2017:

Figure 7: Cached DNSviz.net report for nepa.gov as of 5/25/2017, showing DNSSEC errors

DNSViz.net is a wonderful resource because manually validating DNSSEC records step-by-step can be a tedious undertaking.[3]

For the purpose of this post, let’s just focus on one very basic and easy-to-confirm issue flagged by the DNSviz.net report for nepa.gov, namely, “gov to nepa.gov: the DS set for the zone included algorithm 7 (RSASHA1NSEC3SHA1), but no DS matched a DNSKEY with algorithm 7 that signs the zone’s DNSKEY RRset.”

As a review of select DNSSEC record types, remember that:

• The DS (“Delegation Signer”) resource record stores a key tag, an algorithm field, and the digest type of the DNSKEY resource record, as well as the digest itself. It comes from the parent zone.[4]

• The DNSKEY resource record has a flags field, a protocol field, an algorithm field, and contains the public key that corresponds to the private key used to sign a zone. It comes from the child zone.[5]

For validation to succeed, one requirement is that at least one algorithm specified in a domain’s DS record AND one algorithm specified in a domain’s DNSKEY record must agree.[6]

For example, both could use algorithm 7 (“RSASHA1-NSEC3-SHA1”),[7] or both could use algorithm 8 (“RSA/SHA-256”) — either of those alternatives would technically work.[8] However, if a domain’s only DS record used one algorithm while the domain’s only DNSKEY record used a different algorithm, that incompatibility would be, in-and-of-itself, fatal to successful DNSSEC validation of that trust chain. (This is far from the only way DNSSEC could be misconfigured, but for our purposes it is one of the easier-to-identify-and-explain failure modes, which is why we choose to look at it today).

What do we see in DNSDB? Let’s check DNSDB for the nepa.gov/DS records and the nepa.gov/DNSKEY records. We’ll do that using the dnsdbq[9] command line interface client to DNSDB API.

While nepa.gov’s DNSSEC issue may have been going on for some time, to keep this post relatively brief, let’s just look at what DNSDB saw from May 1st, 2017 forward.

Checking DNSDB’s DNSKEY records for that domain (and omitting the base64-encode keying material in the interest of keeping this relatively short) we can see that all the DNSKEY records were created using algorithm 8:

Figure 8. nepa.gov DNSKEY records since 2017-05-01

$ dnsdbq -r nepa.gov/dnskey -s -A 2017-05-01 
;; record times: 2017-04-13 07:01:21 .. 2017-05-08 15:01:18
;; count: 778; bailiwick: nepa.gov.
nepa.gov. DNSKEY 256 3 8 [keying material elided here and below]
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 257 3 8
nepa.gov. DNSKEY 257 3 8
    
;; record times: 2017-05-08 23:01:27 .. 2017-07-02 07:01:50
;; count: 1402; bailiwick: nepa.gov.
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 257 3 8
nepa.gov. DNSKEY 385 3 8
    
;; record times: 2017-07-02 15:01:21 .. 2017-08-23 06:33:41
;; count: 1103; bailiwick: nepa.gov.
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 257 3 8
    
;; record times: 2017-08-24 03:53:11 .. 2017-09-05 02:36:25
;; count: 136; bailiwick: nepa.gov.
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 257 3 8
    
;; record times: 2017-10-20 23:01:18 .. 2017-10-23 09:21:36
;; count: 60; bailiwick: nepa.gov.
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 257 3 8
    
;; record times: 2017-10-23 15:25:53 .. 2017-10-27 07:01:43
;; count: 89; bailiwick: nepa.gov.
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 257 3 8
    
;; record times: 2018-01-07 22:40:40 .. 2018-01-30 23:01:00
;; count: 40; bailiwick: nepa.gov.
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 256 3 8
nepa.gov. DNSKEY 257 3 8

Now let’s look at the DS records for nepa.gov — uh oh! We can see that at least until 2017-05-26 15:01:04 UTC, algorithm 7, NOT algorithm 8, was used in the nepa.gov DS records:

Figure 9. nepa.gov DS records since 2017-05-01

$ dnsdbq -r nepa.gov/ds -s -A 2015-05-01
;; record times: 2010-07-27 18:26:46 .. 2017-05-26 15:01:04
;; count: 31613; bailiwick: gov.
nepa.gov. DS 3489 7 1 [etc]
nepa.gov. DS 3489 7 2 [etc]

;; record times: 2017-05-26 05:11:13 .. 2018-01-30 23:01:00
;; count: 5500; bailiwick: gov.
nepa.gov. DS 25471 8 1 [etc]
nepa.gov. DS 25471 8 2 [etc]

This error, in and of itself, would have broken access to the nepa.gov site for all users protected by a DNSSEC-validating resolver during our period of interest.

We’ve thus now shown how you can successfully confirm a reported DNSSEC-related outage by using DNSSEC information stored in DNSDB.

IV. Are There .gov and .mil domains using Algorithms Other than Algorithm 8 For Their DS Records?

As of August 2015, NIST has deprecated SHA-1 hashes for the Federal government for most uses in favor of SHA-256 and similar stronger hash functions.[10]

When it comes to DNSSEC, algorithm 5 (“RSA/SHA-1”) and Algorithm 7 (“RSASHA1-NSEC3-SHA1”) use SHA-1 while Algorithm 8 (“RSA/SHA-256”) uses SHA-256. Thus, in most cases, we’d expect gov/mil DNSSEC DS records to be DNSSEC signed using Algorithm 8.

But are there any exceptions? Let’s take a look at dot gov and dot mil DS records seen since the start of the year (we may not see every dot gov/dot mil DS record in just a month or two, but we can at least get a sense of what’s going on):

We pulled a list of dot gov/dot mil DS records seen since January 1st, 2018 by saying:

Figure 10. Collecting dot gov/dot mil DS Records since January 1st, 2018

$ dnsdbq -l 1000000 -r \*.gov/DS -A 2018-01-01 > gov-ds.txt
$ dnsdbq -l 1000000 -r \*.mil/DS -A 2018-01-01 > mil-ds.txt

Typical records looked like:

Figure 11. Typical dot mil DS records from DNSDB

;; zone times: 2017-09-26 20:00:05 .. 2018-02-01 20:00:02
;; count: 129; bailiwick: .
mil. DS 27319 8 1 B090CA5F985BE47393497300F887EF8466E86C8C
mil. DS 27319 8 2 98332FC2B22D453BD47ACDF73C0150A4DAB54751450ED679411EC972577CAD47

;; record times: 2017-09-26 17:14:02 .. 2018-02-01 19:54:05
;; count: 12879374; bailiwick: .
mil. DS 27319 8 1 B090CA5F985BE47393497300F887EF8466E86C8C
mil. DS 27319 8 2 98332FC2B22D453BD47ACDF73C0150A4DAB54751450ED679411EC972577CAD47

;; record times: 2017-07-03 19:01:11 .. 2018-02-01 19:59:54
;; count: 12632726; bailiwick: mil.
af.mil. DS  26665 8 1 83762F11D06E05E2A45C2750E37195FD37249F21
af.mil. DS  26665 8 2 6295EE53B1859735D945AE0621DFF33233F92F74F173FEC85805BDF9E4A1CAA4

We used a text editor to remove comments (“;;”) and blank lines from those files.

Having done that, we then extracted just unique (domain name, DS algorithm-types) tuples:

Figure 12. Extracting just domain names and DS record algorithm types

$ awk '{print $1 " " $4}' < gov-ds.txt | sort -u > gov-ds-2.txt
$ awk '{print $1 " " $4}' < mil-ds.txt | sort -u > mil-ds-2.txt

Manually rearranging the gov file, we found 75 Algorithm 5 (“RSA/SHA-1”), 165 Algorithm 7 (“RSASHA1-NSEC3-SHA1”), and 190 Algorithm 8 (“RSA/SHA-256”). See Appendix A.

Most of the dot mil domains also used Algorithm 8, although we also saw Algorithm 7 and 5, there, too. See Appendix B.

Assuming gov/mil domain holders want to follow NIST cryptographic guidance, it would be good for sites currently using Algorithm 5 and Algorithm 7 to migrate to Algorithm 8.

V. Conclusion

You now know that in addition to familiar DNS record types, Farsight also collects and indexes DNSSEC record types in DNSDB.

You understand that while DNSSEC normally just silently works in the background to help protect against cache poisoning attacks, we can explicitly manually test the DNSSEC validity of a name using the delv command, or by using graphical tool like dnsviz.net.

We showed you an example of how DNSDB can be used to validate a report of DNSSEC algorithm mismatch for nepa.gov, and showed in another simple example how you can check to see what algorithms are being used by a set of domains of interest.

When all is said and done, we hope that this post has sparked your interest in DNSSEC and DNSDB’s DNSSEC-related data!

If you need information about how to subscribe to DNSDB, please see our Order Services page.

Appendix A. DS record algorithms by dot gov domain

achp.gov. 5
acwi.gov. 5
alaskafisheries.noaa.gov. 5
arl.noaa.gov. 5
at.inl.gov. 5
cbrfc.noaa.gov. 5
cfda.gov. 5
cio.noaa.gov. 5
class.noaa.gov. 5
cnrfc.noaa.gov. 5
coast.noaa.gov. 5
cor.gov. 5
coris.noaa.gov. 5
csc.noaa.gov. 5
csp.noaa.gov. 5
eia.gov. 5
esdim.noaa.gov. 5
esrl.noaa.gov. 5
esrs.gov. 5
fakr.noaa.gov. 5
fbo.gov. 5
frtr.gov. 5
fsrs.gov. 5
g5.gov. 7
gateway.ga.gov. 5
gfdl.noaa.gov. 5
inl.gov. 5
iocm.noaa.gov. 5
irc.noaa.gov. 5
ita.doc.gov. 5
mac.doc.gov. 5
madis-data.noaa.gov. 5
md.gov. 5
metar.noaa.gov. 5
nano.gov. 5
ncc.noaa.gov. 5
ncdc.noaa.gov. 5
ncd.gov. 5
ncei.noaa.gov. 5
nefsc.noaa.gov. 5
nesdis.noaa.gov. 5
nga.gov. 5
ngdc.noaa.gov. 5
ngs.noaa.gov. 5
nhc.noaa.gov. 5
nj.gov. 5
nlrb.gov. 5
nndc.noaa.gov. 5
noaa.gov. 5
noc.noaa.gov. 5
nosc.noaa.gov. 5
nsf.gov. 5
nssl.noaa.gov. 5
ntia.doc.gov. 5
nwfsc.noaa.gov. 5
nws.noaa.gov. 5
oar.noaa.gov. 5
ofda.gov. 5
opic.gov. 5
pmel.noaa.gov. 5
rdhpcs.noaa.gov. 5
roc.noaa.gov. 5
sac.gov. 5
sao.noaa.gov. 5
sec.noaa.gov. 5
spc.noaa.gov. 5
srh.noaa.gov. 5
star.nesdis.noaa.gov. 5
stellersealions.noaa.gov. 5
swpc.noaa.gov. 5
usap.gov. 5
vef.gov. 5
wdtb.noaa.gov. 5
wdtd.noaa.gov. 5
wrp.gov. 5

abmc.gov. 7
akwg.cap.gov. 7
asap.gov. 7
bbg.gov. 7
bcfp.gov. 7
bea.gov. 7
bep.gov. 7
bia.gov. 7
bja.gov. 7
blm.gov. 7
bnl.gov. 7
cao.gov. 7
cap.gov. 7
cawg.cap.gov. 7
cbp.gov. 7
ccac.gov. 7
cc.nih.gov. 7
cdc.gov. 7
cep.gov. 7
cfo.gov. 7
cfpa.gov. 7
cfpb.gov. 7
cio.gov. 7
cit.nih.gov. 7
cms.gov. 7
cms.hhs.gov. 7
cncs.gov. 7
cns.gov. 7
cowg.cap.gov. 7
csr.nih.gov. 7
ctwg.cap.gov. 7
dewg.cap.gov. 7
doi.gov. 7
ecfr.gov. 7
ed.gov. 7
eeoc.gov. 7
eop.gov. 7
era.nih.gov. 7
exim.gov. 7
fca.gov. 7
fcc.gov. 7
fcic.gov. 7
fda.gov. 7
ferc.gov. 7
fha.gov. 7
fic.nih.gov. 7
flra.gov. 7
fmcs.gov. 7
fnal.gov. 7
fsoc.gov. 7
ftc.gov. 7
g5.gov. 7
glr.cap.gov. 7
gwa.gov. 7
hc.gov. 7
hrsa.gov. 7
hsr.gov. 7
hud.gov. 7
iaf.gov. 7
ibb.gov. 7
ibc.doi.gov. 7
ilwg.cap.gov. 7
imls.gov. 7
ipp.gov. 7
its.gov. 7
kswg.cap.gov. 7
ky.gov. 7
lbl.gov. 7
llnl.gov. 7
ma.gov. 7
mail.gov. 7
mail.nih.gov. 7
mass.gov. 7
max.gov. 7
mdwg.cap.gov. 7
mesh.gov. 7
mgi.gov. 7
mha.gov. 7
miwg.cap.gov. 7
msb.gov. 7
myra.gov. 7
nagb.gov. 7
nara.gov. 7
ncats.nih.gov. 7
ncbi.nlm.nih.gov. 7
nccam.nih.gov. 7
nccih.nih.gov. 7
nccs.gov. 7
nci.nih.gov. 7
ncmhd.nih.gov. 7
ncpc.gov. 7
ncpw.gov. 7
ncrc.gov. 7
ncrr.nih.gov. 7
ncua.gov. 7
nei.nih.gov. 7
netl.doe.gov. 7
nhgri.nih.gov. 7
nhl.gov. 7
niaaa.nih.gov. 7
niaid.nih.gov. 7
niams.nih.gov. 7
nia.nih.gov. 7
nibib.nih.gov. 7
nichd.nih.gov. 7
nida.nih.gov. 7
nidcr.nih.gov. 7
niddk.nih.gov. 7
niehs.nih.gov. 7
nifc.gov. 7
nigms.nih.gov. 7
nih.gov. 7
nihlibrary.nih.gov. 7
nihms.nih.gov. 7
nimhd.nih.gov. 7
nimh.nih.gov. 7
ninds.nih.gov. 7
ninr.nih.gov. 7
nist.gov. 7
njwg.cap.gov. 7
nlm.gov. 7
nlm.nih.gov. 7
nls.gov. 7
nnlm.gov. 7
nrel.gov. 7
ntis.gov. 7
nywg.cap.gov. 7
occ.gov. 7
ocio.nih.gov. 7
od.nih.gov. 7
ofr.gov. 7
ohwg.cap.gov. 7
oig.hhs.gov. 7
ojp.gov. 7
omb.gov. 7
ornl.gov. 7
ors.od.nih.gov. 7
orwg.cap.gov. 7
ostp.gov. 7
ots.gov. 7
pawg.cap.gov. 7
pay.gov. 7
pbgc.gov. 7
pnl.gov. 7
pnnl.gov. 7
pppl.gov. 7
prc.gov. 7
pscr.gov. 7
psob.gov. 7
sec.gov. 7
sji.gov. 7
slgs.gov. 7
sns.gov. 7
ssab.gov. 7
ssa.gov. 7
stb.gov. 7
time.gov. 7
ttb.gov. 7
tva.gov. 7
twai.gov. 7
uscc.gov. 7
va.gov. 7
voa.gov. 7
wawg.cap.gov. 7
wh.gov. 7

911.gov. 8
acf.gov. 8
acl.gov. 8
acus.gov. 8
ada.gov. 8
adr.gov. 8
ag.gov. 8
ahrq.gov. 8
aids.gov. 8
aoa.gov. 8
aoc.gov. 8
ap.gov. 8
arm.gov. 8
asc.gov. 8
atf.gov. 8
bats.gov. 8
bfem.gov. 8
bjs.gov. 8
bls.gov. 8
boem.gov. 8
bpa.gov. 8
brac.gov. 8
brc.gov. 8
bsee.gov. 8
cbca.gov. 8
cep.gov. 8
cfa.gov. 8
cfoc.gov. 8
cia.gov. 8
cjis.gov. 8
co.ym.mn.gov. 8
cpsc.gov. 8
crb.gov. 8
cr.nps.gov. 8
crs.gov. 8
data.bsee.gov. 8
data.gov. 8
dea.gov. 8
dhhs.gov. 8
dhs.gov. 8
directpay.irs.gov. 8
dmh.ms.gov. 8
dni.gov. 8
dnr.mn.gov. 8
doc.gov. 8
doc.mn.gov. 8
dol.gov. 8
dot.gov. 8
dot.mn.gov. 8
dps.mn.gov. 8
dtv.gov. 8
eac.gov. 8
ecomp.dol.gov. 8
eda.gov. 8
ems.gov. 8
epa.gov. 8
epic.gov. 8
esa.doc.gov. 8
esa.gov. 8
esc.gov. 8
faca.gov. 8
fai.gov. 8
fan.gov. 8
faq.gov. 8
fara.gov. 8
fas.gsa.gov. 8
fbi.gov. 8
fdic.gov. 8
fdlp.gov. 8
feb.gov. 8
fema.gov. 8
fgdc.gov. 8
fmi.gov. 8
foia.gov. 8
fpc.gov. 8
fpds.gov. 8
frb.gov. 8
fsd.gov. 8
fss.gsa.gov. 8
fs.usda.gov. 8
fws.gov. 8
gomr.mms.gov. 8
gpo.gov. 8
gsa.gov. 8
harp.gov. 8
health.mn.gov. 8
hhs.gov. 8
hiv.gov. 8
hru.gov. 8
iad.gov. 8
iawg.gov. 8
ibwc.gov. 8
ic3.gov. 8
ice.gov. 8
id.gov. 8
ihs.gov. 8
info.gov. 8
irs.gov. 8
itap.gov. 8
itis.gov. 8
jem.gov. 8
kids.gov. 8
lanl.gov. 8
law.gov. 8
lca.gov. 8
learninglink.dol.gov. 8
lep.gov. 8
lis.gov. 8
listserv.opm.gov. 8
loc.gov. 8
lsc.gov. 8
mbda.gov. 8
mcc.gov. 8
mcc.mn.gov. 8
mda.gov. 8
mn.gov. 8
mtbs.gov. 8
museum.nps.gov. 8
nasa.gov. 8
nbib.gov. 8
nbib.opm.gov. 8
nbrc.gov. 8
ncfms.dol.gov. 8
ncsc.gov. 8
nctc.gov. 8
nel.gov. 8
nepa.gov. 8
neup.gov. 8
ngc.gov. 8
nic.gov. 8
niem.gov. 8
nij.gov. 8
nmsc.gov. 8
nnss.gov. 8
nps.gov. 8
nrd.gov. 8
nwbc.gov. 8
nyc.gov. 8
ocio.os.doc.gov. 8
odci.gov. 8
odni.gov. 8
ohrm.doc.gov. 8
ohrm.os.doc.gov. 8
oig.lsc.gov. 8
onrr.gov. 8
opm.gov. 8
orau.gov. 8
osac.gov. 8
osc.gov. 8
osec.doc.gov. 8
osha.gov. 8
osti.gov. 8
ovc.gov. 8
phe.gov. 8
pic.gov. 8
pmf.gov. 8
pmi.gov. 8
psc.gov. 8
ptt.gov. 8
rcfl.gov. 8
read.gov. 8
reo.gov. 8
revisor.mn.gov. 8
sam.gov. 8
sba.gov. 8
sbir.gov. 8
scra.gov. 8
search.usa.gov. 8
securemail.fdic.gov. 8
sen.gov. 8
snap.gov. 8
sos.mn.gov. 8
swpa.gov. 8
targetcenter.dm.usda.gov. 8
tax.gov. 8
taxpayeradvocate.irs.gov. 8
tps.gov. 8
tsa.gov. 8
tsc.gov. 8
tsp.gov. 8
tucson.ars.ag.gov. 8
usa.gov. 8
usbg.gov. 8
usbr.gov. 8
usda.gov. 8
us.gov. 8
vcf.gov. 8
vt.gov. 8
www.brac.gov. 8
ymp.gov. 8

Appendix B. DS Algorithm Usage By Dot mil domains

afrl.hpc.mil. 5
arl.hpc.mil. 5
erdc.hpc.mil. 5
helpdesk.hpc.mil. 5
hpc.mil. 5
jsf.mil. 5
navo.hpc.mil. 5
navydsrc.hpc.mil. 5
ors.hpc.mil. 5
stats.hpc.mil. 5
uit.hpc.mil. 5
wcisc.hpc.mil. 5

fedsun.hpc.mil. 7

1bct3id.army.mil. 8
25cab25id.army.mil. 8
26asg.army.mil. 8
3rs.mil. 8
acc.af.mil. 8
acq.osd.mil. 8
adls.af.mil. 8
adr.af.mil. 8
aetc.af.mil. 8
af.mil. 8
afams.af.mil. 8
afccc.af.mil. 8
afcent.af.mil. 8
afcert.af.mil. 8
afdw.af.mil. 8
affsc.af.mil. 8
afmc.af.mil. 8
afms.mil. 8
afmsa.af.mil. 8
afncr.af.mil. 8
afnoc.af.mil. 8
afoats.af.mil. 8
afosr.af.mil. 8
afotec.af.mil. 8
afpc.af.mil. 8
afrc.af.mil. 8
afrl.af.mil. 8
afsoc.af.mil. 8
afspc.af.mil. 8
afsv.af.mil. 8
afwa.af.mil. 8
afway.af.mil. 8
ah.mil. 8
ahhb.med.osd.mil. 8
airman.af.mil. 8
alconbury.af.mil. 8
alsa.mil. 8
altus.af.mil. 8
amc.af.mil. 8
amedd.army.mil. 8
andersen.af.mil. 8
andrews.af.mil. 8
ang.af.mil. 8
apg.army.mil. 8
apgea.army.mil. 8
apps.mil. 8
apps.nga.mil. 8
arl.army.mil. 8
arl.mil. 8
army.mil. 8
arnold.af.mil. 8
arnorth.army.mil. 8
arpa.mil. 8
atec.army.mil. 8
au.af.mil. 8
aviano.af.mil. 8
aviation.dla.mil. 8
barksdale.af.mil. 8
beale.af.mil. 8
belvoir.army.mil. 8
benning.army.mil. 8
biometrics.dod.mil. 8
bliss.army.mil. 8
bragg.army.mil. 8
brooks.af.mil. 8
bsm.dla.mil. 8
bta.mil. 8
buckley.af.mil. 8
cac.mil. 8
campbell.army.mil. 8
cannon.af.mil. 8
cap.mil. 10
carlisle.army.mil. 8
carson.army.mil. 8
ccad.army.mil. 8
cci.med.osd.mil. 8
cecer.army.mil. 8
centaf.af.mil. 8
ces.mil. 8
charleston.af.mil. 8
cidss.af.mil. 8
cims.army.mil. 8
cjflccoir.army.mil. 8
codvt.dod.mil. 8
columbus.af.mil. 8
conus.army.mil. 8
cpms.osd.mil. 10
crdamc.amedd.army.mil. 8
create.hpc.mil. 8
croughton.af.mil. 8
daas.dla.mil. 8
daip.jcs.mil. 8
daps.dla.mil. 8
dau.mil. 8
dc3.mil. 8
dcpas.osd.mil. 8
dcpds.cpms.osd.mil. 8
ddc.dla.mil. 8
dds.mil. 8
deployed.af.mil. 8
desc.dla.mil. 8
detrick.army.mil. 8
dha.mil. 8
dia.mil. 8
dispositionservices.dla.mil. 8
distribution.dla.mil. 8
dla.mil. 8
dlis.dla.mil. 8
dm.af.mil. 8
dma.mil. 8
dmdc.osd.mil. 8
dme.dla.mil. 8
dmea.osd.mil. 8
documentservices.dla.mil. 8
dod.mil. 8
dover.af.mil. 8
dpas.dod.mil. 8
dpris.dod.mil. 8
dps.mil. 8
drms.dla.mil. 8
drum.army.mil. 8
dscc.dla.mil. 8
dscp.dla.mil. 8
dscr.dla.mil. 8
dsio.dla.mil. 8
dss.mil. 8
dyess.af.mil. 8
e-publishing.af.mil. 8
eb.mil. 8
ebiz.acq.osd.mil. 8
ecc-e.army.mil. 8
eds.mil. 8
edwards.af.mil. 8
efoia.af.mil. 8
eglin.af.mil. 8
eglin.hpc.mil. 8
eielson.af.mil. 8
eis.af.mil. 8
eitsm.dla.mil. 8
ellsworth.af.mil. 8
elmendorf.af.mil. 8
emptytest.army.mil. 8
energy.dla.mil. 8
erdc.usace.army.mil. 8
esi.mil. 8
etcx.dla.mil. 8
europe.dla.mil. 8
extranet.acq.osd.mil. 8
fairchild.af.mil. 8
fairford.af.mil. 8
fmmc.army.mil. 8
foia.af.mil. 8
fpc.mil. 8
ft-meade.af.mil. 8
ftmeade.army.mil. 8
geo.nga.mil. 8
geoint.nga.mil. 8
geointel.nga.mil. 8
ges.mil. 8
goodfellow.af.mil. 8
gordon.army.mil. 8
gosint.nga.mil. 8
grandforks.af.mil. 8
grissom.af.mil. 8
gs.mil. 8
gunter.af.mil. 8
gvs.mil. 8
gvs.nga.mil. 8
hanscom.af.mil. 8
hci.mil. 8
hickam.af.mil. 8
hill.af.mil. 8
holloman.af.mil. 8
hood.army.mil. 8
hq.af.mil. 8
hq.dla.mil. 8
hqda.army.mil. 8
hqisec.army.mil. 8
hr.dla.mil. 8
hua.army.mil. 8
hurlburt.af.mil. 8
ia.mil. 8
ignet.army.mil. 8
jackson.army.mil. 8
jag.af.mil. 8
jb.mil. 8
jcs.mil. 8
jcu.mil. 8
js.mil. 8
jsc.mil. 8
kadena.af.mil. 8
keesler.af.mil. 8
kirtland.af.mil. 8
kunsan.af.mil. 8
lackland.af.mil. 8
lajes.af.mil. 8
lakenheath.af.mil. 8
landandmaritime.dla.mil. 8
langley.af.mil. 8
laughlin.af.mil. 8
law.af.mil. 8
lcmp.af.mil. 8
lead.army.mil. 8
leavenworth.army.mil. 8
lee.army.mil. 8
les.mil. 8
lewis-mcchord.army.mil. 8
lewis.army.mil. 8
littlerock.af.mil. 8
logisticsinformationservice.dla.mil. 8
logsa.army.mil. 8
losangeles.af.mil. 8
luke.af.mil. 8
macdill.af.mil. 8
malmstrom.af.mil. 8
march.af.mil. 8
maxwell.af.mil. 8
mc.mil. 8
mcchord.af.mil. 8
mcconnell.af.mil. 8
mcguire.af.mil. 8
mcm.mil. 8
mda.mil. 8
med.osd.mil. 8
medical.dla.mil. 8
mhpcc.hpc.mil. 8
mhs.osd.mil. 8
mhsi.med.osd.mil. 8
mil. 8
mildenhall.af.mil. 8
militaryhomefront.dod.mil. 8
militaryinstallations.dod.mil. 8
minot.af.mil. 8
monterey.army.mil. 8
moody.af.mil. 8
moron.af.mil. 8
mountainhome.af.mil. 8
msic.dia.mil. 8
my.af.mil. 8
nces.dod.mil. 8
nellis.af.mil. 8
netcom.army.mil. 8
ng.mil. 8
nga.mil. 8
ngb.army.mil. 8
ngb.mil. 8
niagarafalls.af.mil. 8
nic.mil. 8
nro.mil. 8
nsoc.med.osd.mil. 8
nvl.hpc.mil. 8
offutt.af.mil. 8
ogn.af.mil. 8
oln-afmc.af.mil. 8
oms.mil. 8
osan.af.mil. 8
osd.mil. 8
osi.apps.mil. 8
osl.nro.mil. 8
ozone.nga.mil. 8
pacaf.af.mil. 8
pacific.dla.mil. 8
patrick.af.mil. 8
pentagon.af.mil. 8
peterson.af.mil. 8
phlmail.documentservices.dla.mil. 8
pica.army.mil. 8
polk.army.mil. 8
pope.af.mil. 8
portal.hpc.mil. 8
portland.af.mil. 8
prms.af.mil. 8
prs.mil. 8
ramstein.af.mil. 8
randolph.af.mil. 8
raptor.af.mil. 8
redstone.army.mil. 8
ria.army.mil. 8
riley.army.mil. 8
robins.af.mil. 8
rucker.army.mil. 8
samhouston.army.mil. 8
schriever.af.mil. 8
sco.mil. 8
scott.af.mil. 8
sd.mil. 8
sddc.army.mil. 8
shaw.af.mil. 8
sheppard.af.mil. 8
sierra.army.mil. 8
soc.mil. 10
spangdahlem.af.mil. 8
staging.medical.dla.mil. 8
svc.nro.mil. 8
swasn.nga.mil. 8
tacom.army.mil. 8
tamc.amedd.army.mil. 8
tec.army.mil. 8
thule.af.mil. 8
timpo.osd.mil. 8
timpodr.med.osd.mil. 8
tinker.af.mil. 8
transactionservices.dla.mil. 8
travis.af.mil. 8
troopsupport.dla.mil. 8
tyndall.af.mil. 8
uc.mil. 8
us.af.mil. 8
usa4militaryfamilies.dod.mil. 8
usace.army.mil. 8
usafa.af.mil. 8
usafe.af.mil. 8
vance.af.mil. 8
vandenberg.af.mil. 8
warren.af.mil. 8
wes.army.mil. 8

Notes

[1] Google Public DNS FAQ

[2] Comcast Completes DNSSEC Deployment

[3] See for example Innovation Blog: DNSSEC/

[4] IETF

[5] IETF

[6] IETF

[7] Domain Name System Security (DNSSEC) Algorithm Numbers

[8] We do not consider the cryptographic strength of the various DNSSEC algorithms here, but see for example NIST Policy on Hash Functions which notes that “Federal agencies should stop using SHA-1 for generating digital signatures, generating time stamps and for other applications that require collision resistance.”

[9] GitHub DNSDB/DNSDBQ

[10] NIST Policy on Hash Functions

Dr. Paul Vixie is the CEO, Chairman and Cofounder of Farsight Security, Inc..

Joe St Sauver Ph.D. is a Distinguished Scientist with Farsight Security, Inc.