> On Jan 7, 2020, at 9:21 PM, Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote: > > DNSSEC is still quite useful, even though it has had a bit of trouble getting going. The very nature of DNSSEC was that it would take a long time to deploy. A similar statement could be made (and has been made) about IPv6. > > It's very shortsighted to expect that everything that IETF does that is useful, will appear useful to IETF participants within a few years of adoption. Indeed, and 2019 saw a significant uptick in the number of DNSSEC domains, https://stats.dnssec-tools.org/images/totalds.svg For a few additional data points: https://lists.dns-oarc.net/pipermail/dns-operations/2020-January/019559.html - 10.70 million signed delegations, up from ~8.77 million a year ago. + 1.50 million signed .COM delegations, up from ~973 thousand. + 97 TLDs with 1000+ signed delegations, up from 76. - 1.73 million DANE SMTP domains, up from ~775 thousand a year ago. + DANE MX hosts in 5.0 thousand zones, up from ~3.8 thousand. - ECDSA P256 (13) now most common KSK algorithm, ahead of RSASHA256 (8). + Last year: 4,005,976 alg 8; 1,908,218 alg 13. + This year: 3,798,256 alg 8; 3,937,115 alg 13. Also, for example, the .com and .net zone ZSKs have been upgraded from 1024-bit RSA to 1280-bit RSA. Meaningful progress is being made. -- Viktor.
