07 Sep

DNSSEC deployment across the ccTLDs

While I am spending time on APNIC’s security workshop here at APNIC 46, I got curious about DNSSEC deployment across ccTLDs. 

For those who may be unaware, DNSSEC adds signature the DNS responses making it possible to cryptographically verify a DNS query response. 

Out of 254 ccTLDs, 125 support DNSSEC with a published DS record (at least that is what I get when I check their zone) and 129 do not support it as yet. So, for now, it is at 49.21%. 

ccTLDStatus
acTRUE
adTRUE
aeFALSE
afTRUE
agTRUE
aiFALSE
alFALSE
amTRUE
anFALSE
aoFALSE
aqFALSE
arTRUE
asFALSE
atTRUE
auTRUE
awTRUE
axTRUE
azTRUE
baFALSE
bbFALSE
bdFALSE
beTRUE
bfFALSE
bgTRUE
bhFALSE
biFALSE
bjFALSE
blFALSE
bmTRUE
bnFALSE
boFALSE
bqFALSE
brTRUE
bsFALSE
btTRUE
bvFALSE
bwTRUE
byTRUE
bzTRUE
caTRUE
ccTRUE
cdFALSE
cfFALSE
cgFALSE
chTRUE
ciFALSE
ckFALSE
clTRUE
cmFALSE
cnTRUE
coTRUE
crTRUE
cuFALSE
cvFALSE
cwFALSE
cxTRUE
cyFALSE
czTRUE
deTRUE
djFALSE
dkTRUE
dmFALSE
doFALSE
dzFALSE
ecFALSE
eeTRUE
egFALSE
ehFALSE
erFALSE
esTRUE
etFALSE
euTRUE
fiTRUE
fjFALSE
fkFALSE
fmFALSE
foTRUE
frTRUE
gaFALSE
gbFALSE
gdTRUE
geFALSE
gfFALSE
ggFALSE
ghFALSE
giTRUE
glTRUE
gmFALSE
gnTRUE
gpFALSE
gqFALSE
grTRUE
gsTRUE
gtFALSE
guFALSE
gwTRUE
gyFALSE
hkTRUE
hmFALSE
hnTRUE
hrTRUE
htFALSE
huTRUE
idTRUE
ieTRUE
ilTRUE
imFALSE
inTRUE
ioTRUE
iqFALSE
irFALSE
isTRUE
itTRUE
jeFALSE
jmFALSE
joFALSE
jpTRUE
keTRUE
kgTRUE
khFALSE
kiTRUE
kmFALSE
knFALSE
kpFALSE
krTRUE
kwFALSE
kyTRUE
kzFALSE
laTRUE
lbTRUE
lcTRUE
liTRUE
lkTRUE
lrTRUE
lsFALSE
ltTRUE
luTRUE
lvTRUE
lyFALSE
maTRUE
mcFALSE
mdFALSE
meTRUE
mfFALSE
mgTRUE
mhFALSE
mkFALSE
mlFALSE
mmTRUE
mnTRUE
moFALSE
mpFALSE
mqFALSE
mrFALSE
msFALSE
mtFALSE
muFALSE
mvFALSE
mwFALSE
mxTRUE
myTRUE
mzFALSE
naTRUE
ncTRUE
neFALSE
nfTRUE
ngFALSE
niFALSE
nlTRUE
noTRUE
npFALSE
nrFALSE
nuTRUE
nzTRUE
omFALSE
paFALSE
peTRUE
pfFALSE
pgFALSE
phFALSE
pkFALSE
plTRUE
pmTRUE
pnFALSE
prTRUE
psFALSE
ptTRUE
pwTRUE
pyFALSE
qaFALSE
reTRUE
roTRUE
rsFALSE
ruTRUE
rwFALSE
saTRUE
sbTRUE
scTRUE
sdFALSE
seTRUE
sgTRUE
shTRUE
siTRUE
sjTRUE
skFALSE
slFALSE
smFALSE
snTRUE
soFALSE
srFALSE
ssFALSE
stFALSE
suTRUE
svFALSE
sxTRUE
syFALSE
szFALSE
tcFALSE
tdFALSE
tfTRUE
tgFALSE
thTRUE
tjFALSE
tkFALSE
tlTRUE
tmTRUE
tnTRUE
toFALSE
tpFALSE
trFALSE
ttTRUE
tvTRUE
twTRUE
tzTRUE
uaTRUE
ugTRUE
ukTRUE
umFALSE
usTRUE
uyTRUE
uzFALSE
vaFALSE
vcTRUE
veFALSE
vgFALSE
viFALSE
vnTRUE
vuTRUE
wfTRUE
wsTRUE
ytTRUE
zaTRUE
zmTRUE
zwFALSE





About all TLDs in the root zone

There are 1540 TLDs right now in the root zone out of which 145 do not support DNSSEC as yet (129 of that is ccTLD alone). 1396 do have DS record at the DNS zone in TLD level. I have published the full list here.

Note: Full DNSSEC support is more than just DS record in the zone. 

26 Aug

Facebook FNA Nodes Updates

Earlier this year after APRICOT 2018, I posted a list of visible Facebook FNA (CDN caching) nodes across the world with IPv4, IPv6 and the AS name. I got quite a few mails in following months about people mentioning that they installed nodes but do not see their names in the list (and that was normal since list was static). 

I re-ran my script to see emailslatest status of nodes. During last check I saw 1689  nodes (3rd March). Now on 26th Aug i.e after close to 6 months, the total number of nodes has increased to 2204.

Here is the latest sheet containing the list of nodes with ASN, network name, IPv4 and IPv6 – http://link.anuragbhatia.com/fna30aug

Summary of the data and some findings for India

  1. The number of nodes increased by 27% within the last 6 months. 

  2. On Reliance Jio network number of node increased by just 1 – which is a new node they put in Ludhiana, Punjab. 

  3. In Delhi, a number of FNA nodes went up from 16 to 21. Four new additions are ACT (AS18209), MNR Broadband (AS133648), Facebook itself (AS63293) which is worth exploring) and GEONET GEOCITY NETWORK SOLUTIONS (AS45235). This actually makes me wonder why I do not see any FNA nodes on my ex-employer Spectra AS10029 as yet.  (30 Aug 2018 Update: I missed this, please see footer below)

  4. In case of Mumbai (or Bombay as used for BOM airport code), the number went up from 17 to 21. New additions HNS (AS38457), Airtel (AS9498) and Vortex Netsol  (AS136334). 

  5. For Chennai number stayed same at 6 (4 telco – Airtel, Jio, Vodafone, IDEA) and 2 broadband ISPs (ACT and Hathway). 

  6. In Kolkata IDEA added the new FNA node. Rest all seems the same. 

  7. I see zero active nodes in Dishnet Wireless (Aircel) now. Earlier there was one in Kolkata and one in Chennai. 

  8. Still zero active nodes in India’s largest govt. incumbent operator BSNL AS9289. They clearly do not understand the value of content caching nodes. 

  9. There’s a major growth in a number of FNA nodes in Airtel from 9 (in March) to 16 (now at the end of Aug). And for IDEA number went from 6 to 12. While the number of nodes in Vodafone stays same (14). 

  10. There’s no node in any of Tata telecom companies. 

Well, that’s all about for now. Have a good Rakshabandhan. 🙂

Update: 30th Aug 2018

My friends from Spectra pointed out that they do have a node and that made me to re-look at my scripts. Due to a bug in the scripts, I was not getting all the nodes. I have fixed the bug and updated the data in this post.