[dnssec-coord] Thoughts on when to designate a newgTLD as "Operational" in DNSSEC deployment maps?

Olafur Gudmundsson ogud at shinkuro.com
Tue Apr 15 15:08:25 PDT 2014

Dan excellent questions 
On Apr 15, 2014, at 4:05 PM, Dan York <york at isoc.org> wrote:

> DNSSEC-coord members,
> I have a question upon which I'd love your advice/feedback.  In the DNSSEC Deployment Maps[1] that we distribute weekly we do include the current status of all the newgTLDs.  They don't show up in the maps, of course, but do appear in the accompanying CSV files.  So far I have just indicated when they have a "DS in Root" which is easy to determine from sites like Rick Lamb's https://rick.eng.br/dnssecstat/
> The question is how to know when to move them to "Operational" status meaning that they are accepting signed delegations from registrars/registrants.  Really the only way to know this is to contact or watch each registry somehow... and there are too many of them for me to do that.
> It was pointed out to me in Singapore by Duane Wessels that all newgTLDs have to use the Centralized Zone Data Service (CZDS)[2] and that someone ought to be able to query the CZDS and come up with a site showing which domains have signed domains.
> It turns out that someone is already sort of doing this at this site: http://ntldstats.com/  where we learn the fact that of 486,070 registered newgTLD domains, only a whopping 915 of them are signed. :-(     
> If you go onto this specific page, though, http://ntldstats.com/tld , you can see how many signed domains are under each of the newgTLDs.  I would not have guessed that the order would be .TIPS, .TATTOO, .SEXY and .EMAIL.
> Anyway, my thinking is to designate a newgTLD as "Operational" in the maps database once it passes some number of signed domains in a list like the one on this site.  Because there may be some experimental or operational domains that could be signed by the registry before making it available to all, I don't think the existence of 1 or 3 domains may be enough to say "Operational".  Part of me says perhaps "5"... or maybe 10 just to be safe.

Pick a number and operators will learn of that number and put that many test  DS's in there. 

> What do you think of that as a mechanism?  Do you think it would be fair to list a newgTLD as "Operational" when it has, say, 10 or more signed domains inside the TLD?
> Or does anyone have another suggestion?

Well I think the only reliable measure is when one can add a DS to an domain in there.

Short of that is to keep track and measure uptake, I wonder if we can convince a registrar to publish when they can add DS in domains 
as they are the ones most likely to know other than the operator. 

I signed up for a CZDS account and requested 3 zone files lets see if that works. 
If not I can use my NSEC/NSEC3 scanner to sample the tld's for evidence of DNSSEC uptake. 


> Thoughts and comments are appreciated.
> Thanks,
> Dan
> [1] http://www.internetsociety.org/deploy360/dnssec/maps/
> [2] http://newgtlds.icann.org/en/program-status/czds
> --
> Dan York
> Senior Content Strategist, Internet Society
> york at isoc.org   +1-802-735-1624
> Jabber: york at jabber.isoc.org 
> Skype: danyork   http://twitter.com/danyork
> http://www.internetsociety.org/deploy360/ 
> _______________________________________________
> dnssec-coord mailing list
> dnssec-coord at elists.isoc.org
> https://elists.isoc.org/mailman/listinfo/dnssec-coord

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://elists.isoc.org/pipermail/dnssec-coord/attachments/20140415/5e151818/attachment-0001.html>

More information about the dnssec-coord mailing list