Estimating IPv6 & DNSSEC External Service Deployment Status

Background and Methodology

Background and MethodologyIPv6 & DNSSEC SnapShots
USG IPv6 & DNSSEC StatisticsUSG IPv4 Statistics
Industry IPv6 & DNSSEC StatisticsIndustry IPv4 Statistics
University IPv6 & DNSSEC StatisticsUniversity IPv4 Statistics
CFO Act Agency Summary StatisticsUSG IPv6 Enabled WWW Sites

Frequently Asked Questions (FAQ)


IPv6 Service Deployment Monitor

    This monitoring tool has been developed to try to answer the questions above.The tool attempts to characterize that state of IPv6 deployment on external facing core network services and to track the progress of IPv6 deployments over time.The monitoring tool examines the IPv6 and IPv4 status of DNS, Mail, and Web services for domains on a regular (daily or weekly) basis.USG results post every day ~3pmwhile Industry and University results update on the weekends.The most recently collected data is displayed for both protocols as are the IPv6 adoption statistics over time.

    Note 1, this tool is unrelated to the USGv6 Profile and the USGv6 Testing Program. That is, no attempt is made to assess if the services monitored are running over IPv6 stacks that are compliant with the USGv6 Profile. The USGv6 Program is focused on acquisition and makes no recommendations about deployment scenarios. This tool on the other hand, only focuses on deployment issues.

    For each monitored domain and service we report the estimated number of IPv4 interfaces for that service, followed by an estimate of the number of those interfaces that (a) have an IPv6 address assigned, (b) of those, the number of interfaces whose IPv6 addresses are reachable (simply a 'ping' test, which is [understandably] frequently blocked - no color designations are made here) to our monitor, and finally, (c) the number of those interfaces actually running the service over IPv6 (e.g., answering DNS queries).Finally we include a heuristic indication of whether the service in question seems to be operating within the domain in question or provided elsewhere.The result is an output as follows:

DomainOrganizationDNSMailWeb One[3] 3/3/0 [I][1] 0/0/0 [I][1] 1/0/0 [P]
gov.two.Agency Two[6] 5/5/5 [M][1] 1/0/1 [O][1] 2/2/N [I]
gov.three.    Agency Three    [2] 0/0/0 [O][3] 1/0/0 [P][4] 4/4/4 [O]
gov.four.Agency Four[S] 0/0/0 [L][0] 0/0/0 [-][0] 0/0/0 [-]

    • Note that for a given service...
    • We color the cell red if there appears to be no IPv6 addresses assigned, e.g., 0/0/0
    • We color the cell yellow if addresses are assigned but the application service can not be reached, e.g., 1/0/0 or 3/3/0
    • We color the cell green if the service is fully supported over native IPv6, e.g., 4/4/4 or 1/0/1
    • We color the cell gray if the service is intentionally not assigned, i.e., [0] 0/0/0 [-]

Test Methodologies

    The USG monitor relies on the list of Federal Executive Agency Internet Domains.To [de]register a domain contact the registrar.We further augmented the list with domains learned from previous research studies.Here is the changeLog for the list of domains under test as well as the nonexistent domains that were excluded from testing.The Industry monitor relies on the Fortune 1000 list as well as domains collected from the Alexa list of the top 100 sites in the US.We added to the Industry list with other relevant domains and learned ipv6 domain permutations, e.g., University list was borrowed from an NCAA site of Division 1 schools and has been amended over time.The domain lists under test are not meant to be exhaustive; the goal is to monitor a representation of all domains that exist, focusing on those of interest.Suggested additions of domains are welcome and may be added if appropriately interesting and relevant (i.e., those providing yet unmonitored service interfaces).The key for the output of the monitor is as follows:
[IPv4,S] :: Estimated number of IPv4 service interfaces
IPv6 server assignment is missing, e.g. 0/0/0
IPv6 addresses assigned to servers, e.g. 2/0/0
IPv6 addresses assigned and respond to ping, e.g. 2/2/0
IPv6 addresses are fully operational, e.g. 2/2/2,N
IPv6 addresses are intentionally not assigned, [0] 0/0/0 [-]
[I,P,O,M,L,-] :: Logical location of service relative to domain

[ For IPv4 Results :: values are v4_assigned/v4_reachable/v4_operational ]

    Given an agency domain and web site, a DNS query is performed to find all SOA, NS, and MX resource records and all unique A records assigned to the web server.For every resource record (RR) returned a comparison is performed to see if the record is [I]nside the domain under test, exists in the [P]arent domain, or is [O]utside of the domain under test.When examining all agency domain results for an individual resource record, if a combination of [I],[P],[O] exists the service under consideration is labelled as [M]ixed.Note, the [I,P,O] designation is determined by a string comparison and may not reflect actual ownership scenarios.For example, is an alias to meaning both and testing will examine results will then show the web server to be [O]utside of and the web server to be [I]nside of despite commerce and doc being the same agency.

    The total number of returned records is indicated inside brackets, e.g. [4].For instances where an NS record is not returned an [S] is used to indicate a SERVFAIL and a trailing [L] is listed to signify a Lame delegation.For instances where an MX record is not returned, or when no web servers are found, a [0] is entered in the count field and a [-] is placed in the location field.If all three services fail to return a record the Domain box is colored gray.Further, it is understood that certain domains were not meant to have all three services.When no MX records are found the box is colored gray.The same holds true when reporting the web results.However, all domains must have an NS record and the absence of one will leave the box colored red.An example of the above classifications:

DomainOrganizationDNSMailWeb One[3] #/#/# [I][1] #/#/# [I][1] #/#/# [P]
gov.two.Agency Two[6] #/#/# [M][1] #/#/# [O][1] #/#/# [I]
gov.three.    Agency Three    [2] #/#/# [O][3] #/#/# [P][4] #/#/# [O]
gov.four.Agency Four[S] #/#/# [L][0] #/#/# [-][0] #/#/# [-]

    Momentarily disregarding the counting (#/#/#) information, and absent color designations, Agency One had three [3] NS records all internal [I] to the domain.One [1] MX record was found, which was inside [I] the domain.One [1] web server A record was returned in the [P] parent domain.For Agency Two, six [6] NS records were found, in a mix [M] of locations.One [1] MX record was returned from outside [O] of the domain.The lone [1] web server A record was internal [I]. For Agency Three, two [2][O] oustide NS records were found.Three [3] MX records were located, all of which were in the parent [P] domain and four [4] web server A records were returned from outside [O] of the domain.Finally, for Agency Four, no NS records were returned so it is marked as [S] SERVFAIL and [L] Lame. No MX record was found so a [0] and a [-] are listed.Likewise, zero [0] web server A records were returned so there can be no [-] location designation.

    After retreiving all of the domain's information, A and AAAA DNS lookups are performed on all service hostnames.From there, all uniquely assigned IP addresses are inserted into an array with the number of elements becoming the server assignment data point.For example, if three unique NS IP addresses were found the service count would be 3/#/#.Next, all addresses are pinged and the number that respond are represented as the reachable server data point.Continuing the example, if two of the three NS addresses respond to ping requests the service count becomes 3/2/#.Finally, there is an attempt to reach the service, on every address, over the Internet Protocol under test.The number of interfaces that respond are displayed as the operational data point.Concluding the example, if connections are successfully made to all three addresses, the service count would be 3/2/3.Also, if all attempts to a web server's IP addresses fail, a final attempt is made to the web server name.If that is successful an N is placed in the field, 3/2/N.

    To conclude the data presentation, colors are added to the table to enhance readability.A red field indicates there is no server IP assignment in the DNS.A yellow field indicates assignments are present, may or may not be reachable, but are not operational.A green field indicates the domain has at least one fully ipv6 operational address.Gray is used to indicate when a service is intentionally not assigned.Applying all of these concepts the final table will look as follows:

DomainOrganizationDNSMailWeb One[3] 3/3/0 [I][1] 0/0/0 [I][1] 1/0/0 [P]
gov.two.Agency Two[6] 5/0/3 [M][1] 1/0/1 [O][1] 2/2/N [I]
gov.three.    Agency Three    [2] 0/0/0 [O][3] 1/0/0 [P][4] 4/4/4 [O]
gov.four.Agency Four[S] 0/0/0 [L][0] 0/0/0 [-][0] 0/0/0 [-]

    Additional data is collected during testing, including services that are outsourced, IPv6 allocations (CIDR), and operational service response times.Regardless of location (i.e, [I][P][O]), all service IP addresses, unique in scope to all domains being tested, are counted to produce a comprehensive Unique Configured Service Interfaces graph, Unique IPv6 Operational Serivce Interfaces Over Time graph and an IPv6 Operational Service Domains Over Time graph, all of which are displayed on top of the results page.Finally, the Domain and Organization entries are linked to the domain homepage and the agency results, respectively.The most basic metric collected is the comparison of IPv4 and IPv6 operational interfaces, represented daily in the USG Unique Configured Service Interfaces graph.The current graph is below.

Links : Referenced Domain Web Statistics

    The Federal Executive Agency Internet Domains information used by the monitor includes the domain name address for each domain.This URL is examined and all links found are tested for IPv6 operational readiness.The 'drill down' results for each domain are displayed on a page accessible from the Links column.The percentages shown in this column are explained in item #7 of the table explanations below.

gov.fbi.                Department of Justice      [6] 6/0/6 [I][1] 0/0/0 [I][2] 2/0/2 [O]100%/69%S/V/C

    Each domain results page contains two graphs and a table with statistics.The first graph is a bandwith metric for the http GET of the domain's home URL, comparing the IPv4 and IPv6 throughput over time.The second graph is a box and whisker plot showing the range of IPv6 bandwidth measurements from all IPv6 operational URLs referenced in theDomain Under Test (DUT) homepage (the chart is entitled: Referenced Domain IPv6 Transfer Rate).The box and whisker graph displays the minimum, maximum, mean, 25th percentile, and 75th percentile of all bandwidth measurements.For readability, the box and whisker chart [only] displays the last month of data.An example of these graphs and table, with interpretation, is as follows:

    • 1. Header Information includes the title, date, domain, and agency.The collected vaules, for IPv4 and IPv6, are the seconds [s], bytes [B], and megabits per second [Mbps] for http GETs to the listed URL.The remaining two fields, 6/4[Mbps] and v4|v6, show a comparison of throughput values for the two protocols and the corresponding graph.Note, while throughput values are collected every time a URL appears, the daily graphs are generated using the throughput information collected on the initial inspection.This means a throughput graph may not exactly correspond to the data listed.For example, many domain sites reference, and all of those domain tables will have unique throughput data for facebook, but the facebook graph will only show the data collected the first time facebook was inspected that day.

    • 2. The referenced URL portion of the table.Each line is a URL found on the DUT homepage.Results are displayed alphabetically and not in the order found.This line will note if the URL used was (https) and whether the IPv4 and IPv6 GETs were redirected, [v4R] and [v6R].The redirection statistics link to the redirected URL and are in the format number_of_redirects/time_in_seconds.Above, in the com.facebook.www line, there were two IPv4 and two IPv6 redirections, which took 0.080s of the total 0.430s IPv4 GET and 0.077s of the total 0.381s IPv6 GET.

    • 3. All referenced URLs, which are subdomains of the original DUT are given a blue field.The URL of the DUT's homepage is noted with a leading "?" and is also blue.

    • 4. Collected results are displayed with color designations continued from the general monitor; a green field designates protocol operation while a red field indicates the GET was not successful, i.e., protocol not operational.Unless both IPv4 and IPv6 are operational there can not be a throughput comparison and the 6/4 field is populated with n/a.The graphs will plot whatever operational data there is every day.

    • 5. If the GET retrieval size for IPv6 is not within 10% (90-110%) of the IPv4 GET retrieval, the field is colored yellow.It is generally expected that the files returned will be close in size.Similarly, if the throughput for IPv6 is less than half (<50%) that of IPv4, the field is colored yellow.The yellow field signifies a condition, which may be problematic.

    • 6. On occasions where a response time is recorded (note the 3.125s, signifying a server was reached) but no data was returned, the field is colored white and treated as not operational.

    • 7. The number of referenced domains that are IPv6 operational.The first result is only for the subdomains (the URLs colored blue in #3).The second result is for all of the referenced domains.In this example, those percentages are 100% and 69%, which are the values shown in the Links column in the monitor results.The color designations pertain only to the referenced subdomain results: 100% is green (complete), 0% is red (no progress), and every value in between is yellow (in progress).

Domain Name System Security Extensions (DNSSEC)

    The last column in the table displays the DNSSEC status of the domain.The three values shown (e.g., S/V/C) represent the DNSSEC characteristics: Signed, Valid and Chained, which together establish one of four possible states: Good, Signed Island, Unsigned, and Error. The monitor sends a query for the DNSKEY of the zone and if a DNSKEY RR is returned the zone is considered Signed and Valid.If no DNSKEY records are found the zone is considered Unsigned.If an Error response is returned the monitor attempts to see if the error is DNSSEC related and sets the Valid bit accordingly.The monitor then sends a query to the .gov parent zone to see if the zone has uploaded its DNSSEC key material and has a valid secure chain (from .gov).If DNSSEC material is found the Chained value is set and, if not, the zone is an Island, meaning it may be signed but those signatures may not be trusted since the parent does not know they are signed.Results are collected to produce a DNSSEC Enabled Domains Over Time graph.

    The four states exist in five combinations of:

    • [S]igned ; [U]nsigned
    • [V]alid ; [I]nvalid ; [?](unknown) ; [-](n/a)
    • [C]hained ; [B]roken ; [-](n/a)

    • Unsigned [U/-/-] : The zone does not use DNSSEC and does not have any DNSSEC material in the .gov parent zone
    • Error [U/I/C] : The zone does not use DNSSEC but has DNSSEC material in the .gov parent, thus appearing to be an attack to DNSSEC clients
    • Error [S/I/C] : The zone uses DNSSEC but is invalid due to a DNSSEC error
    • Island [S/?/B] : The zone appears to use DNSSEC but does not have any DNSSEC material in the .gov parent
    • Good [S/V/C] : The zone uses DNSSEC and has DNSSEC material in the .gov parent

    The monitor color codes these designations as follows:

    DomainOrganizationDNSSEC          Agency One    S/V/C
    gov.two.          Agency Two    (errors & islands)
    gov.three.          Agency Three    U/-/-

    Results are linked to the Sandia National Labs DNS Visualization Tool

Graph Representation