Hi Geoff, At 11:22 PM 07-01-2018, Geoff Huston wrote:
Its not as simple as this - users typically are configured with a number of DNS resolvers (2 is most common) and when the first resolver does not answer or returns SERVFAIL then they try the second, and so on.
What APNIC publishes at https://stats.labs.apnic.net/dnssec is 2 numbers:
a) DNSSEC Validate - ALL the resolvers that are called by the user's DNS perform DNSSEC validation, and the user will not resolve a DNS name when that name is signed, but the signature cannot be validated
b) Uses Google's Public DNS data service - the count of users that will call Google's service to resolve a name, but may also call other resolvers if the response from the Google resolver is SERVFAIL
Thank you for explaining the above.
I think you are after a number that is the number of users that use Google's Public DNS service and no other resolver. We do not publish that number as we don't calculate it from the raw data.
Or perhaps you are after the number of users that exclusive use DNSSEC-validating resolvers, one of which is Google's validation service. Again, we do not publish that number as we don't calculate it from the raw data.
It was the second option (use DNSSEC-validing resolovers). Regards, S. Moonesamy