Validation rate growing week by week

Written by Roland van Rijswijk in category: General

All SURFnet’s DNS resolvers perform DNSSEC validation and we use the Cacti plug-in for Unbound to graph our nameserver statistics. This yields some interesting data since we can observe the DNSSEC validation rate. And that rate has been showing signs of significant growth since the root got signed.

Let me first show you a snapshot graph for one of our resolvers:

Snapshot for

In the graph you can see some stats for the nameserver. The interesting metric here is the pink line (incorrectly labeled “Answer serure”). What is significant is that this line is actually visible. Before the root was signed, this line was glued to the x-axis, and since a few weeks it has become visible for the first time. The numbers, by the way, should be interpreted as follows: the total number of queries that are potentially validatable is NOERROR + NXDOMAIN (in this case that is 533.54 qps + 94.60 qps = 628,14 qps). The number of queries that could actually be validated is 20,67 qps. This gives a validation rate (at the point in time this snapshot was made) of about 3,3%.

Now this may not sound very significant or spectacular until we look at a graph for the validation rate over time:

Validation rate graphed over 12 weeks

The graph shows the average validation rate over the past twelve weeks (week numbers are shown on the x-axis). The root was signed in week 28, and it is clearly visible that since then the validation rate has been climbing steadily. I’m going to be watching this trend to see if this growth continues, but for now it’s showing that DNSSEC deployment clearly benefited from the root signing 😉