Overview of 1033 signed zones:
695 -14 Entry Point
10 broken chain
279 chained
0 new
49 -372 unreachable

Top 10 autonomous systems injecting DNSSec zones:
439 -1 AS15725
70 AS3333
69 AS3245
68 AS3557
29 -1 AS25537
26 -1 AS24776
23 AS39570
20 +1 AS22548
17 AS36810
17 AS10466

Top 10 TLD containing DNSSec zones:
242 +1 ARPA
217 -2 DE
145 -59 COM
70 SE
69 -1 BG
52 -10 ORG
44 -7 NET
29 -2 RU
22 +22 BR
21 -5 INFO

191 (-21) weak keys:
Top 10 autonomous systems injecting weak keys:
29 -1 AS25537
26 AS24776
13 AS3216
13 +1 AS29632
12 AS7132
7 AS20943
5 AS8228
5 AS8683
4 +4 AS12859
4 +4 AS6197

10 broken DS chains:
17.32.198.in-addr.arpa, 42.32.198.in-addr.arpa, wesh.netsec.tislabs.com
badds.dnssec.jp, hostcount.ripe.net, k.ripe.net, ris.ripe.net, bitstring.se
xn--ihrn-dpa.se, xn--lda-ula.xn--ihrn-dpa.se

31 (+3) parent DS to unsigned zones:
157.110.193.in-addr.arpa, 228.111.193.in-addr.arpa, 98.227.193.in-addr.arpa
128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa, 130.111.89.in-addr.arpa
131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa, 133.111.89.in-addr.arpa
134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa, 136.111.89.in-addr.arpa
137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa, 139.111.89.in-addr.arpa
140.111.89.in-addr.arpa, demo.netsec.tislabs.com, isles.netsec.tislabs.com
lindy.netsec.tislabs.com, mike.netsec.tislabs.com
robert.wesh.netsec.tislabs.com, orange.dnssec.jp, segdns.test.mx
ldap.trstech.net, subsigned.signed.telin.nl, hogskolaniboras.se
klan-csa.se, kristianstadpower.se, nl-dnssectest.se, umdac.se, webro.se

15 (-2) unnecessary islands:
64-26.0.149.193.in-addr.arpa, 0.68.193.in-addr.arpa
241.75.217.in-addr.arpa, pixaco.com.br, badnxt.dnssec.jp
nods-ns.test.dnssec-tools.org, autonomica.se, cafax.se, echo-lan.se
hooden.se, nning.se, shinkuro.se, skabb.se, staver.se, zkt.se

49 (-372) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
12 +8 AS5537
8 -370 AS3265
4 +3 AS23342
2 +2 AS8608
2 +1 AS39570
1 +1 AS2833
1 +1 AS14744
1 +1 AS4436
1 +1 AS546
1 +1 AS40966


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

* Lutz Donnerhacke wrote:
> Overview of 1033 signed zones:
> 49 -372 unreachable
>
> 49 (-372) unreachable zones:
> Top 10 autonomous systems containing unreachable zones:
> 8 -370 AS3265

AS3265 failed to upgrade their software for DNSSEC.

Overview of 11627 signed zones:
1499 +804 Entry Point
9618 +9618 Test
6 -4 broken chain
405 +126 chained
0 new
99 +50 unreachable

Top 10 autonomous systems injecting DNSSec zones:
783 +754 AS25537
461 +22 AS15725
125 +57 AS3557
77 +7 AS3333
70 +50 AS22548
69 AS3245
45 +19 AS24776
28 +5 AS39570
19 +5 AS559
18 +5 AS3216

Top 10 TLD containing DNSSec zones:
783 +754 RU
274 +32 ARPA
232 +15 DE
147 +2 COM
100 +48 ORG
88 +18 SE
84 +62 BR
69 BG
48 +4 NET
38 +38 FR

950 (+759) weak keys:
Top 10 autonomous systems injecting weak keys:
753 +724 AS25537
45 +19 AS24776
18 +5 AS3216
16 +11 AS8228
13 AS29632
9 -3 AS7132
8 +1 AS20943
4 +4 AS29344
4 AS12859
3 +3 AS2119

6 (-4) broken DS chains:
17.32.198.in-addr.arpa, 42.32.198.in-addr.arpa, iana.icann.root.zx.com
bitstring.se, xn--ihrn-dpa.se, xn--lda-ula.xn--ihrn-dpa.se

24 (-7) parent DS to unsigned zones:
157.110.193.in-addr.arpa, 228.111.193.in-addr.arpa, 98.227.193.in-addr.arpa
128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa, 130.111.89.in-addr.arpa
131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa, 133.111.89.in-addr.arpa
134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa, 136.111.89.in-addr.arpa
137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa, 139.111.89.in-addr.arpa
140.111.89.in-addr.arpa, ldap.trstech.net, hogskolaniboras.se, klan-csa.se
kristianstadpower.se, nl-dnssectest.se, umdac.se, webro.se, xelerance.se

26 (+11) unnecessary islands:
64-26.0.149.193.in-addr.arpa, 0.68.193.in-addr.arpa, 4.32.198.in-addr.arpa
178.25.217.in-addr.arpa, 241.75.217.in-addr.arpa
4.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 5.2.0.0.1.6.0.1.0.0.2.ip6.arpa
6.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.2.0.0.1.6.0.1.0.0.2.ip6.arpa
3.1.6.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.f.3.0.8.3.8.0.1.0.0.2.ip6.arpa
1.0.0.0.e.4.7.c.3.6.8.d.2.0.0.2.ip6.arpa, pixaco.com.br, dlv.switch.ch
dnssec.switch.ch, sub.jelte.nlnetlabs.nl, ipv6.stack.nl, ddns.klubkev.org
autonomica.se, cafax.se, echo-lan.se, nning.se, shinkuro.se, skabb.se
staver.se, zkt.se

99 (+50) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
30 +29 AS25537
12 AS5537
7 +6 AS15725
4 +4 AS6197
4 +2 AS39570
2 -6 AS3265
1 +1 AS22894
1 +1 AS15201
1 AS2833
1 +1 AS80


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

* Lutz Donnerhacke wrote:
> Overview of 11627 signed zones:
> 1499 +804 Entry Point
> 9618 +9618 Test
> 6 -4 broken chain
> 405 +126 chained
> 0 new
> 99 +50 unreachable

I seperated testing enviroments from real deployment.
Testing zones are not further examined.

> Top 10 TLD containing DNSSec zones:
> 783 +754 RU
> 274 +32 ARPA
> 232 +15 DE
> 147 +2 COM
> 100 +48 ORG
> 88 +18 SE
> 84 +62 BR
> 69 BG
> 48 +4 NET
> 38 +38 FR

I got some information from the RU and the FR zone, so I could check those
zone more deeply.

Futhermore I checked the immediate IP neighbourhood of servers in signed
zones for other hosts assuming that the zones of those hosts are also
signed. This reveals a lot of new entries.

Finally I send e-mail about configuration errors or possible improvments to
the zonemasters of possibly errornous zones. Several of those configurations
where fixed.

--
Public production ready DNSSEC signed root at a.dnssec.thur.de, ...
. DS 47484 5 1 83BD0576C2EB42FA9E9B5B9FDD8000F2E1F30C5B
Lookaside zone for most effective DNSSEC deployment right now.
dnssec.iks-jena.de. DS 61533 5 1 CEF158A447EF2E65ACBDBDC068231E08A991A269

Overview of 11616 signed zones:
1461 -38 Entry Point
9619 +1 Test
5 -1 broken chain
417 +12 chained
0 new
114 +15 unreachable

Top 10 autonomous systems injecting DNSSec zones:
767 -16 AS25537
457 -4 AS15725
125 AS3557
77 AS3333
72 +2 AS22548
70 +1 AS3245
45 AS24776
28 AS39570
19 +2 AS36810
19 AS559

Top 10 TLD containing DNSSec zones:
767 -16 RU
278 +4 ARPA
231 -1 DE
142 -5 COM
102 +2 ORG
91 +3 SE
89 +5 BR
69 BG
48 NET
38 FR

911 (-39) weak keys:
Top 10 autonomous systems injecting weak keys:
715 -38 AS25537
45 AS24776
18 AS3216
16 AS8228
13 AS29632
9 +1 AS20943
8 -1 AS7132
4 AS29344
3 AS2119
3 AS3215

5 (-1) broken DS chains:
17.32.198.in-addr.arpa, 42.32.198.in-addr.arpa, bitstring.se
xn--ihrn-dpa.se, xn--lda-ula.xn--ihrn-dpa.se

46 (+22) parent DS to unsigned zones:
0.20.149.in-addr.arpa, 20.20.149.in-addr.arpa, 64.20.149.in-addr.arpa
157.110.193.in-addr.arpa, 228.111.193.in-addr.arpa, 98.227.193.in-addr.arpa
128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa, 130.111.89.in-addr.arpa
131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa, 133.111.89.in-addr.arpa
134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa, 136.111.89.in-addr.arpa
137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa, 139.111.89.in-addr.arpa
140.111.89.in-addr.arpa, niet.verweg.com, dnssec.test.kr, drone.test.kr
khj.test.kr, prove.test.kr, ldap.trstech.net, pdnssec.jelte.nlnetlabs.nl
sub.sub.jelte.nlnetlabs.nl, backgammon.brixtal.se, cycled.brixtal.se
decay.brixtal.se, mods.brixtal.se, nyetworks.brixtal.se, spiffy.brixtal.se
swabbing.brixtal.se, tooled.brixtal.se, zenning.brixtal.se, zero.brixtal.se
hogskolaniboras.se, klan-csa.se, kristianstadpower.se, lyrek.se
nl-dnssectest.se, tshirttryck.se, umdac.se, webro.se, xelerance.se

29 (+3) unnecessary islands:
64-26.0.149.193.in-addr.arpa, 0.68.193.in-addr.arpa
146.32.198.in-addr.arpa, 178.32.198.in-addr.arpa, 4.32.198.in-addr.arpa
178.25.217.in-addr.arpa, 241.75.217.in-addr.arpa
4.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 5.2.0.0.1.6.0.1.0.0.2.ip6.arpa
6.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.2.0.0.1.6.0.1.0.0.2.ip6.arpa
7.f.3.0.8.3.8.0.1.0.0.2.ip6.arpa, pixaco.com.br, eficacia.eng.br
conectway.net.br, sub.jelte.nlnetlabs.nl, ipv6.stack.nl, dyn.johani.org
ddns.klubkev.org, autonomica.se, cafax.se, echo-lan.se, gavle.se, nning.se
ockelbo.se, shinkuro.se, skabb.se, staver.se, zkt.se

114 (+15) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
52 +22 AS25537
12 AS5537
5 -2 AS15725
5 +1 AS39570
2 AS3265
1 AS2833
1 +1 AS13270
1 AS23342
1 +1 AS12322
1 +1 AS20712


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

Overview of 11656 signed zones:
1496 +35 Entry Point
9618 -1 Test
5 broken chain
440 +23 chained
0 new
97 -17 unreachable

Top 10 autonomous systems injecting DNSSec zones:
733 -34 AS25537
456 -1 AS15725
128 +3 AS3557
81 +9 AS22548
78 +1 AS3333
72 +2 AS3245
45 AS24776
32 -353 AS3265
29 +1 AS39570
21 +2 AS36810

Top 10 TLD containing DNSSec zones:
733 -34 RU
285 +7 ARPA
233 +2 DE
159 +17 COM
122 +20 ORG
99 +10 BR
84 -7 SE
71 +2 BG
53 +5 NET
38 FR

871 (-40) weak keys:
Top 10 autonomous systems injecting weak keys:
689 -26 AS25537
45 AS24776
18 AS3216
15 -1 AS8228
9 -4 AS29632
8 -1 AS20943
4 AS29344
4 AS12859
3 AS2119
3 AS3215

5 broken DS chains:
228.111.193.in-addr.arpa, sparta.dnsops.biz, ornl.dnsops.gov, bitstring.se
tgfslp.dalmany.co.uk

31 (-15) parent DS to unsigned zones:
0.20.149.in-addr.arpa, 64.20.149.in-addr.arpa, 157.110.193.in-addr.arpa
178.170.195.in-addr.arpa, 128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa
130.111.89.in-addr.arpa, 131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa
133.111.89.in-addr.arpa, 134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa
136.111.89.in-addr.arpa, 137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa
139.111.89.in-addr.arpa, 140.111.89.in-addr.arpa, dnssec.test.kr
drone.test.kr, khj.test.kr, prove.test.kr, blopp.se, hogskolaniboras.se
klan-csa.se, kristianstadpower.se, lyrek.se, mirall.se, nl-dnssectest.se
tshirttryck.se, webro.se, xn--botsmarksdck-pcb.se

31 (+2) unnecessary islands:
8.4.e164.arpa, 2.2.0.2.4.6.3.3.6.6.9.4.e164.arpa, 1.2.0.0.1.8.e164.arpa
64-26.0.149.193.in-addr.arpa, 0.68.193.in-addr.arpa, 42.32.198.in-addr.arpa
178.25.217.in-addr.arpa, 241.75.217.in-addr.arpa
4.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 5.2.0.0.1.6.0.1.0.0.2.ip6.arpa
6.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.2.0.0.1.6.0.1.0.0.2.ip6.arpa
7.f.3.0.8.3.8.0.1.0.0.2.ip6.arpa, 1.0.0.0.e.4.7.c.3.6.8.d.2.0.0.2.ip6.arpa
e.8.1.c.8.0.3.0.1.0.a.2.ip6.arpa, cerebrohidroponico.blog.br, pixaco.com.br
eficacia.eng.br, rev.faelix.net, ipv6.stack.nl, parent.dnssec-test.org
signed.dnssec-test.org, dyn.johani.org, ddns.klubkev.org, autonomica.se
echo-lan.se, shinkuro.se, skabb.se, staver.se, xn--lda-ula.xn--ihrn-dpa.se
zkt.se

97 (-17) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
44 -8 AS25537
12 AS5537
6 +1 AS39570
4 +4 AS28860
4 +4 AS29632
2 +2 AS1103
1 +1 AS3245
1 -1 AS3265
1 +1 AS39858
1 -4 AS15725


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

Overview of 11647 signed zones:
1495 -1 Entry Point
9618 Test
6 +1 broken chain
453 +13 chained
0 new
75 -22 unreachable

Top 10 autonomous systems injecting DNSSec zones:
720 -13 AS25537
456 AS15725
136 +136 AS1280
81 AS22548
78 AS3333
71 -1 AS3245
46 +1 AS24776
32 AS3265
29 AS39570
21 AS36810

Top 10 TLD containing DNSSec zones:
720 -13 RU
288 +3 ARPA
234 +1 DE
161 +2 COM
121 -1 ORG
100 +1 BR
84 SE
70 -1 BG
53 NET
37 -1 FR

872 (+1) weak keys:
Top 10 autonomous systems injecting weak keys:
690 +1 AS25537
42 -3 AS24776
18 AS3216
15 AS8228
10 +1 AS29632
8 AS20943
4 AS1103
4 AS29344
4 AS12859
3 AS2119

6 (+1) broken DS chains:
228.111.193.in-addr.arpa, sparta.dnsops.biz, llnl.dnsops.gov, bitstring.se
dyn.niconet.se, tgfslp.dalmany.co.uk

27 (-4) parent DS to unsigned zones:
0.20.149.in-addr.arpa, 64.20.149.in-addr.arpa, 157.110.193.in-addr.arpa
178.170.195.in-addr.arpa, 128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa
130.111.89.in-addr.arpa, 131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa
133.111.89.in-addr.arpa, 134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa
136.111.89.in-addr.arpa, 137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa
139.111.89.in-addr.arpa, 140.111.89.in-addr.arpa, blopp.se
hogskolaniboras.se, klan-csa.se, kristianstadpower.se, lyrek.se, mirall.se
nl-dnssectest.se, tshirttryck.se, webro.se, xn--botsmarksdck-pcb.se

33 (+2) unnecessary islands:
8.4.e164.arpa, 2.2.0.2.4.6.3.3.6.6.9.4.e164.arpa, 1.2.0.0.1.8.e164.arpa
64-26.0.149.193.in-addr.arpa, 0.68.193.in-addr.arpa, 42.32.198.in-addr.arpa
178.25.217.in-addr.arpa, 241.75.217.in-addr.arpa
4.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 5.2.0.0.1.6.0.1.0.0.2.ip6.arpa
6.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.2.0.0.1.6.0.1.0.0.2.ip6.arpa
7.f.3.0.8.3.8.0.1.0.0.2.ip6.arpa, e.8.1.c.8.0.3.0.1.0.a.2.ip6.arpa
cerebrohidroponico.blog.br, digitaltv.blog.br, pixaco.com.br
eficacia.eng.br, antd.nist.gov, rev.faelix.net, broken.jelte.nlnetlabs.nl
sub.jelte.nlnetlabs.nl, ipv6.stack.nl, signed.dnssec-test.org
dyn.johani.org, ddns.klubkev.org, autonomica.se, echo-lan.se, shinkuro.se
skabb.se, staver.se, xn--lda-ula.xn--ihrn-dpa.se, zkt.se

75 (-22) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
30 -14 AS25537
12 AS5537
6 AS39570
4 +3 AS24776
2 +1 AS15725
1 AS22894
1 +1 AS9700
1 AS3265
1 AS39858
1 AS7132


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

* Lutz Donnerhacke wrote:
10 autonomous systems injecting DNSSec zones:
> 136 +136 AS1280


Simple reason: ISC changed their AS.

Overview of 11666 signed zones:
1510 +15 Entry Point
9620 +2 Test
4 -2 broken chain
469 +16 chained
0 new
63 -12 unreachable

Top 10 autonomous systems injecting DNSSec zones:
717 -3 AS25537
465 +9 AS15725
137 +1 AS1280
85 +4 AS22548
78 AS3333
71 AS3245
42 -4 AS24776
31 -1 AS3265
28 -1 AS39570
25 +4 AS36810

Top 10 TLD containing DNSSec zones:
717 -3 RU
290 +2 ARPA
233 -1 DE
166 +5 COM
122 +1 ORG
107 +7 BR
88 +4 SE
70 BG
58 +5 NET
34 -3 FR

33 (-839) weak keys:
55.129.in-addr.arpa, 124.32.198.in-addr.arpa, omnity.biz
sandelman.ottawa.on.ca, arakelian.com, gothea.com, intra-links.com
lecorvaisier.com, nikomotos.com, richelieu-consultants.com
agent-factory.de, the-agent-factory.de, bethelks.edu, ll.mit.edu
aarechargement.fr, gigamax.fr, guiraudsa.fr, intra-links.fr, john-nathan.fr
lbpdecoration.fr, lesbeauxpapiers.fr, taplow-consulting.fr, vrai-decor.fr
intra-links.net, rp.secret-wg.org, interlan.se, keyserver.se, skabb.se
spam112.se, staver.se, umdac.se, vfqa.se, zkt.se

4 (-2) broken DS chains:
228.111.193.in-addr.arpa, sparta.dnsops.biz, ch.pr, bitstring.se

25 (-2) parent DS to unsigned zones:
0.20.149.in-addr.arpa, 64.20.149.in-addr.arpa, 157.110.193.in-addr.arpa
178.170.195.in-addr.arpa, 128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa
130.111.89.in-addr.arpa, 131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa
133.111.89.in-addr.arpa, 134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa
136.111.89.in-addr.arpa, 137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa
139.111.89.in-addr.arpa, 140.111.89.in-addr.arpa, blopp.se
hogskolaniboras.se, klan-csa.se, kristianstadpower.se, lyrek.se, mirall.se
tshirttryck.se, xn--botsmarksdck-pcb.se

31 (-2) unnecessary islands:
8.4.e164.arpa, 8.0.6.4.1.4.6.3.9.4.e164.arpa, 3.7.5.1.4.6.3.9.4.e164.arpa
2.2.0.2.4.6.3.3.6.6.9.4.e164.arpa, 1.2.0.0.1.8.e164.arpa
0.68.193.in-addr.arpa, 42.32.198.in-addr.arpa, 178.25.217.in-addr.arpa
241.75.217.in-addr.arpa, 4.2.0.0.1.6.0.1.0.0.2.ip6.arpa
5.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 6.2.0.0.1.6.0.1.0.0.2.ip6.arpa
7.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.f.3.0.8.3.8.0.1.0.0.2.ip6.arpa
1.0.0.0.e.4.7.c.3.6.8.d.2.0.0.2.ip6.arpa, e.8.1.c.8.0.3.0.1.0.a.2.ip6.arpa
metalplast.bg, cerebrohidroponico.blog.br, digitaltv.blog.br, pixaco.com.br
eficacia.eng.br, tjmg.gov.br, rev.faelix.net, dyn.johani.org, autonomica.se
echo-lan.se, shinkuro.se, skabb.se, staver.se, xn--lda-ula.xn--ihrn-dpa.se
zkt.se

63 (-12) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
25 -5 AS25537
12 AS5537
5 -1 AS39570
3 +3 AS23504
1 AS3265
1 AS7132
1 +1 AS45
1 AS39858
1 -1 AS15725
1 AS24940


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

> 33 (-839) weak keys:

Classification of weak keys has been changed. Starting with this month
exponent 3 keys are not longer considered as weak. Only keysizes shorter
than 1024 bits for key signing keys are reported here.

Overview of 11716 signed zones:
1503 -7 Entry Point
9620 Test
4 broken chain
496 +27 chained
0 new
93 +30 unreachable

Top 10 autonomous systems injecting DNSSec zones:
710 -7 AS25537
466 +1 AS15725
136 -1 AS1280
85 AS22548
78 AS3333
71 AS3245
42 AS24776
31 AS3265
28 AS39570
25 AS36810

Top 10 TLD containing DNSSec zones:
710 -7 RU
291 +1 ARPA
231 -2 DE
170 +4 COM
140 +33 BR
122 ORG
90 +2 SE
71 +1 BG
58 NET
35 +1 FR

31 (-2) weak keys:
55.129.in-addr.arpa, 124.32.198.in-addr.arpa, omnity.biz
sandelman.ottawa.on.ca, arakelian.com, intra-links.com, lecorvaisier.com
nikomotos.com, agent-factory.de, the-agent-factory.de, bethelks.edu
ll.mit.edu, aarechargement.fr, gigamax.fr, guiraudsa.fr, intra-links.fr
john-nathan.fr, lbpdecoration.fr, lesbeauxpapiers.fr, taplow-consulting.fr
vrai-decor.fr, intra-links.net, rp.secret-wg.org, interlan.se, keyserver.se
skabb.se, spam112.se, staver.se, umdac.se, vfqa.se, zkt.se

4 broken DS chains:
228.111.193.in-addr.arpa, sparta.dnsops.biz, ornl.dnsops.gov, bitstring.se

25 parent DS to unsigned zones:
0.20.149.in-addr.arpa, 64.20.149.in-addr.arpa, 157.110.193.in-addr.arpa
178.170.195.in-addr.arpa, 128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa
130.111.89.in-addr.arpa, 131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa
133.111.89.in-addr.arpa, 134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa
136.111.89.in-addr.arpa, 137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa
139.111.89.in-addr.arpa, 140.111.89.in-addr.arpa, blopp.se
hogskolaniboras.se, klan-csa.se, kristianstadpower.se, lyrek.se, mirall.se
tshirttryck.se, xn--botsmarksdck-pcb.se

32 (+1) unnecessary islands:
8.4.e164.arpa, 8.0.6.4.1.4.6.3.9.4.e164.arpa, 3.7.5.1.4.6.3.9.4.e164.arpa
2.2.0.2.4.6.3.3.6.6.9.4.e164.arpa, 1.2.0.0.1.8.e164.arpa
0.68.193.in-addr.arpa, 42.32.198.in-addr.arpa, 178.25.217.in-addr.arpa
241.75.217.in-addr.arpa, 4.2.0.0.1.6.0.1.0.0.2.ip6.arpa
5.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 6.2.0.0.1.6.0.1.0.0.2.ip6.arpa
7.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.f.3.0.8.3.8.0.1.0.0.2.ip6.arpa
1.0.0.0.e.4.7.c.3.6.8.d.2.0.0.2.ip6.arpa, e.8.1.c.8.0.3.0.1.0.a.2.ip6.arpa
metalplast.bg, cerebrohidroponico.blog.br, digitaltv.blog.br, pixaco.com.br
eficacia.eng.br, tjmg.gov.br, rev.faelix.net, dyn.johani.org
ddns.klubkev.org, autonomica.se, echo-lan.se, shinkuro.se, skabb.se
staver.se, xn--lda-ula.xn--ihrn-dpa.se, zkt.se

93 (+30) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
37 +12 AS25537
12 AS5537
9 +8 AS22548
7 +6 AS15725
6 +1 AS39570
3 +2 AS7132
3 AS23504
2 +1 AS3265
2 +2 AS8228
1 +1 AS20852


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

> Top 10 TLD containing DNSSec zones:
> 140 +33 BR

Main contributor is the ministry of justice. They signed all their subzones.

> Top 10 TLD containing DNSSec zones:
> 140 +33 BR

Main contributor is the ministry of justice. They signed all their subzones.

Futhermore some new top level domains got signed:
xn--0zwm56d, xn--11b5bs3a9aj6g, xn--80akhbyknj4f, xn--9t4b11yi5a,
xn--deba0ad, xn--g6w251d, xn--hgbk6aj7f53bba, xn--hlcj6aya9esc7a,
xn--jxalpdlp, xn--kgbechtv, xn--zckzah.
I consider them as test domains, but this shows how far the ICANN reached
their signing practice.

Overview of 11791 signed zones:
1482 -21 Entry Point
9621 +1 Test
17 +13 broken chain
585 +89 chained
0 new
86 -7 unreachable

Top 10 autonomous systems injecting DNSSec zones:
697 -13 AS25537
462 -4 AS15725
137 +1 AS1280
86 +1 AS22548
78 AS3333
71 AS3245
70 +70 AS4230
42 AS24776
31 AS3265
28 AS39570

Top 10 TLD containing DNSSec zones:
697 -13 RU
291 ARPA
231 +91 BR
229 -2 DE
165 -5 COM
123 +1 ORG
91 +1 SE
71 BG
57 -1 NET
35 FR

33 (+2) weak keys:
55.129.in-addr.arpa, 124.32.198.in-addr.arpa, omnity.biz, jfce.jus.br
sandelman.ottawa.on.ca, arakelian.com, intra-links.com, lecorvaisier.com
nikomotos.com, agent-factory.de, the-agent-factory.de, bethelks.edu
ll.mit.edu, aarechargement.fr, gigamax.fr, guiraudsa.fr, intra-links.fr
john-nathan.fr, lbpdecoration.fr, lesbeauxpapiers.fr, vrai-decor.fr
intra-links.net, kfuq.net, daedelys.org, rp.secret-wg.org, interlan.se
keyserver.se, skabb.se, spam112.se, staver.se, umdac.se, vfqa.se, zkt.se

17 (+13) broken DS chains:
228.111.193.in-addr.arpa, sparta.dnsops.biz, jfac.jus.br, jfam.jus.br
jfap.jus.br, jfba.jus.br, jfce.jus.br, jfdf.jus.br, jfma.jus.br
jfmg.jus.br, jfpe.jus.br, jfro.jus.br, jfrr.jus.br, trf1.jus.br
ornl.dnsops.gov, ipv4.stack.nl, bitstring.se

26 (+1) parent DS to unsigned zones:
0.20.149.in-addr.arpa, 157.110.193.in-addr.arpa, 178.170.195.in-addr.arpa
128.111.89.in-addr.arpa, 129.111.89.in-addr.arpa, 130.111.89.in-addr.arpa
131.111.89.in-addr.arpa, 132.111.89.in-addr.arpa, 133.111.89.in-addr.arpa
134.111.89.in-addr.arpa, 135.111.89.in-addr.arpa, 136.111.89.in-addr.arpa
137.111.89.in-addr.arpa, 138.111.89.in-addr.arpa, 139.111.89.in-addr.arpa
140.111.89.in-addr.arpa, lobbi.bg, niet.verweg.com, blopp.se
hogskolaniboras.se, klan-csa.se, kristianstadpower.se, lyrek.se, mirall.se
tshirttryck.se, xn--botsmarksdck-pcb.se

30 (-2) unnecessary islands:
8.4.e164.arpa, 9.9.6.2.2.8.4.e164.arpa, 8.0.6.4.1.4.6.3.9.4.e164.arpa
3.7.5.1.4.6.3.9.4.e164.arpa, 2.2.0.2.4.6.3.3.6.6.9.4.e164.arpa
1.2.0.0.1.8.e164.arpa, 0.68.193.in-addr.arpa, 42.32.198.in-addr.arpa
178.25.217.in-addr.arpa, 241.75.217.in-addr.arpa
4.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 5.2.0.0.1.6.0.1.0.0.2.ip6.arpa
6.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.2.0.0.1.6.0.1.0.0.2.ip6.arpa
7.f.3.0.8.3.8.0.1.0.0.2.ip6.arpa, 1.0.0.0.e.4.7.c.3.6.8.d.2.0.0.2.ip6.arpa
e.8.1.c.8.0.3.0.1.0.a.2.ip6.arpa, metalplast.bg, cerebrohidroponico.blog.br
digitaltv.blog.br, pixaco.com.br, eficacia.eng.br, bw.nist.gov
rev.faelix.net, signed.dnssec-test.org, autonomica.se, skabb.se, staver.se
xn--lda-ula.xn--ihrn-dpa.se, zkt.se

86 (-7) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
32 -5 AS25537
12 AS5537
8 +1 AS15725
5 -1 AS39570
3 AS1280
3 +3 AS18881
1 AS10466
1 AS24776
1 +1 AS3292
1 AS4436


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

Overview of 21079 signed zones:
1591 +109 Entry Point
18692 +9071 Test
14 -3 broken chain
693 +108 chained
0 new
89 +3 unreachable

Top 10 autonomous systems injecting DNSSec zones:
674 -23 AS25537
495 +33 AS15725
141 +4 AS1280
118 +48 AS4230
89 +3 AS22548
79 +1 AS3333
71 AS3245
50 +50 AS8167
37 -5 AS24776
36 +8 AS39570

Top 10 TLD containing DNSSec zones:
674 -23 RU
310 +79 BR
308 +17 ARPA
249 +20 DE
194 +29 COM
143 +20 ORG
112 +21 SE
74 +17 NET
71 BG
29 -6 FR

29 (-4) weak keys:
55.129.in-addr.arpa, omnity.biz, sandelman.ottawa.on.ca, arakelian.com
intra-links.com, lecorvaisier.com, nikomotos.com, agent-factory.de
the-agent-factory.de, ll.mit.edu, aarechargement.fr, gigamax.fr
guiraudsa.fr, intra-links.fr, john-nathan.fr, lbpdecoration.fr
lesbeauxpapiers.fr, vrai-decor.fr, intra-links.net, timmins.net
il.fontys.nl, daedelys.org, rp.secret-wg.org, interlan.se, keyserver.se
spam112.se, staver.se, umdac.se, vfqa.se

14 (-3) broken DS chains:
228.111.193.in-addr.arpa, kobayashi.eti.br, rafaeljusto.eti.br
juventudeweb.mte.gov.br, jtes.jus.br, tjmsp.jus.br, tjsc.jus.br
im.trf5.jus.br, trt17.jus.br, trt6.jus.br, ornl.dnsops.gov
zoidberg.nlnetlabs.nl, exempel1.tset.se, exempel2.tset.se

22 (-4) parent DS to unsigned zones:
157.110.193.in-addr.arpa, 178.170.195.in-addr.arpa, 128.111.89.in-addr.arpa
129.111.89.in-addr.arpa, 130.111.89.in-addr.arpa, 131.111.89.in-addr.arpa
132.111.89.in-addr.arpa, 133.111.89.in-addr.arpa, 134.111.89.in-addr.arpa
135.111.89.in-addr.arpa, 136.111.89.in-addr.arpa, 137.111.89.in-addr.arpa
lobbi.bg, tjmt.jus.br, tjrr.jus.br, blopp.se, brixtal.se
hogskolaniboras.se, klan-csa.se, kristianstadpower.se, mirall.se
xn--botsmarksdck-pcb.se

45 (+15) unnecessary islands:
9.9.6.2.2.8.4.e164.arpa, 8.0.6.4.1.4.6.3.9.4.e164.arpa
3.7.5.1.4.6.3.9.4.e164.arpa, 1.0.8.1.0.4.0.4.9.4.e164.arpa
2.2.0.2.4.6.3.3.6.6.9.4.e164.arpa, 1.2.0.0.1.8.e164.arpa
64-26.0.149.193.in-addr.arpa, 0.68.193.in-addr.arpa
178.25.217.in-addr.arpa, 241.75.217.in-addr.arpa
4.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 5.2.0.0.1.6.0.1.0.0.2.ip6.arpa
6.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.2.0.0.1.6.0.1.0.0.2.ip6.arpa
1.0.0.0.e.4.7.c.3.6.8.d.2.0.0.2.ip6.arpa, e.8.1.c.8.0.3.0.1.0.a.2.ip6.arpa
cerebrohidroponico.blog.br, pixaco.com.br, eficacia.eng.br, mendes.eng.br
tj.ce.gov.br, jfce.gov.br, tjm.sp.gov.br, trt22.gov.br, lacnicxi.nic.br
wln.psi.br, home.clegg.com, bldr.nist.gov, bw.nist.gov, cst-b.nist.gov
emd.nist.gov, mrd.nist.gov, mtdiv.nist.gov, plant.nist.gov, tfd.nist.gov
rev.faelix.net, signed.dnssec-test.org, dyn.johani.org, ddns.klubkev.org
autonomica.se, skabb.se, sm6rpc.se, staver.se, xn--lda-ula.xn--ihrn-dpa.se
zkt.se

89 (+3) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
38 +6 AS25537
10 -2 AS5537
10 +9 AS4555
3 -2 AS39570
2 +2 AS12178
2 AS7132
2 +2 AS35470
1 +1 AS2648
1 AS3292
1 AS3265


--
Detailed list: http://www.iks-jena.de/leistungen/dnssec.php
Outsourcing DNSSEC: http://www.iks-jena.de/dnssec_remote.html
Checking your domain: http://www.iks-jena.de/cgi-bin/dnssec_how_dns_works.pl

* Lutz Donnerhacke wrote:
> Overview of 21079 signed zones:
> 1591 +109 Entry Point
> 18692 +9071 Test
> 14 -3 broken chain
> 693 +108 chained
> 0 new
> 89 +3 unreachable

Sorry for the three months delay in posting this report. So the rates seem
more impressive than they are.

In the last few days, a significant run to DNSSEC deployment occured for
obvious reasons. Let's hope that this deployment will stay on a strong ground.

Overview of 21314 signed zones:
1750 +159 Entry Point
18690 -2 Test
35 +21 broken chain
775 +82 chained
0 new
64 -25 unreachable

Top 10 autonomous systems injecting DNSSec zones:
686 +12 AS25537
494 -1 AS15725
147 +6 AS1280
118 AS4230
91 +2 AS22548
82 +11 AS3245
79 AS3333
57 +7 AS8167
45 +9 AS39570
36 +11 AS36810

Top 10 TLD containing DNSSec zones:
686 +12 RU
338 +30 ARPA
323 +13 BR
262 +13 DE
224 +30 COM
185 +42 ORG
136 +24 SE
86 +12 NET
82 +11 BG
36 +36 PR

26 (-3) weak keys:
55.129.in-addr.arpa, 124.32.198.in-addr.arpa, omnity.biz
sandelman.ottawa.on.ca, arakelian.com, intra-links.com, lecorvaisier.com
nikomotos.com, agent-factory.de, the-agent-factory.de, ll.mit.edu
aarechargement.fr, gigamax.fr, guiraudsa.fr, intra-links.fr, john-nathan.fr
lbpdecoration.fr, lesbeauxpapiers.fr, vrai-decor.fr, ciespal.net
intra-links.net, il.fontys.nl, daedelys.org, rp.secret-wg.org, keyserver.se
vfqa.se

35 (+21) broken DS chains:
228.111.193.in-addr.arpa, 224.30.193.in-addr.arpa, 225.30.193.in-addr.arpa
226.30.193.in-addr.arpa, 227.30.193.in-addr.arpa, 240.143.79.in-addr.arpa
241.143.79.in-addr.arpa, 242.143.79.in-addr.arpa, 243.143.79.in-addr.arpa
244.143.79.in-addr.arpa, 245.143.79.in-addr.arpa, 246.143.79.in-addr.arpa
247.143.79.in-addr.arpa, 248.143.79.in-addr.arpa, 249.143.79.in-addr.arpa
250.143.79.in-addr.arpa, 251.143.79.in-addr.arpa, 252.143.79.in-addr.arpa
253.143.79.in-addr.arpa, 254.143.79.in-addr.arpa, 255.143.79.in-addr.arpa
8.7.6.0.1.0.a.2.ip6.arpa, infoweapons.dnsops.biz, kobayashi.eti.br
rafaeljusto.eti.br, tjmsp.jus.br, tjmt.jus.br, trt1.jus.br, trt6.jus.br
trtrj.jus.br, ornl.dnsops.gov, bitstring.se, ncw.se, xelerance.se
ipv6.dalmany.co.uk

18 (-4) parent DS to unsigned zones:
157.110.193.in-addr.arpa, 178.170.195.in-addr.arpa, 128.111.89.in-addr.arpa
129.111.89.in-addr.arpa, 130.111.89.in-addr.arpa, 131.111.89.in-addr.arpa
132.111.89.in-addr.arpa, lobbi.bg, sparta.dnsops.biz, argang6225.se
blopp.se, brixtal.se, hogskolaniboras.se, klan-csa.se, kristianstadpower.se
mirall.se, umdac.se, xn--botsmarksdck-pcb.se

62 (+17) unnecessary islands:
9.9.6.2.2.8.4.e164.arpa, 8.0.6.4.1.4.6.3.9.4.e164.arpa
3.7.5.1.4.6.3.9.4.e164.arpa, 1.0.8.1.0.4.0.4.9.4.e164.arpa
2.2.0.2.4.6.3.3.6.6.9.4.e164.arpa, 1.2.0.0.1.8.e164.arpa
64-26.0.149.193.in-addr.arpa, 0.68.193.in-addr.arpa, 42.32.198.in-addr.arpa
178.25.217.in-addr.arpa, 241.75.217.in-addr.arpa
4.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 5.2.0.0.1.6.0.1.0.0.2.ip6.arpa
6.2.0.0.1.6.0.1.0.0.2.ip6.arpa, 7.2.0.0.1.6.0.1.0.0.2.ip6.arpa
0.0.0.0.1.0.0.0.8.7.6.0.1.0.0.2.ip6.arpa, b.2.2.1.8.f.6.0.1.0.0.2.ip6.arpa
3.2.3.1.8.f.6.0.1.0.0.2.ip6.arpa, 8.8.4.1.1.0.0.2.ip6.arpa
3.2.0.1.0.7.1.0.1.0.a.2.ip6.arpa, 8.c.2.0.8.9.1.0.1.0.a.2.ip6.arpa
e.8.1.c.8.0.3.0.1.0.a.2.ip6.arpa, cerebrohidroponico.blog.br, pixaco.com.br
eficacia.eng.br, mendes.eng.br, mensura.eng.br, tj.ce.gov.br, jfce.gov.br
tjm.sp.gov.br, lacnicxi.nic.br, dlv.vulcano.cl, home.clegg.com
mobile.wsrcc.com, epages.cz, mou.cz, bldr.nist.gov, boulder.nist.gov
bw.nist.gov, cst-b.nist.gov, emd.nist.gov, mrd.nist.gov, mtdiv.nist.gov
plant.nist.gov, tfd.nist.gov, rev.faelix.net, signed.dnssec-test.org
cdname.signed.dnssec-test.org, deep.signed.dnssec-test.org
secure.signed.dnssec-test.org, wild.signed.dnssec-test.org, dyn.johani.org
autonomica.se, geointel.se, pay2use.se, sakerkundanslutning.se, skabb.se
exempel1.tset.se, exempel2.tset.se, xn--lda-ula.xn--ihrn-dpa.se
xn--skogskarna-55a.se, zkt.se

64 (-25) unreachable zones:
Top 10 autonomous systems containing unreachable zones:
24 -14 AS25537
6 +3 AS15725
5 -5 AS5537
5 +2 AS39570
4 +3 AS3265
2 AS7132
1 AS2648
1 AS3292
1 +1 AS3527
1 +1 AS209


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php

> 1750 +159 Entry Point
> 775 +82 chained
>
> Top 10 TLD containing DNSSec zones:
> 686 +12 RU
> 338 +30 ARPA
> 323 +13 BR
> 262 +13 DE
> 224 +30 COM
> 185 +42 ORG
> 136 +24 SE
> 86 +12 NET
> 82 +11 BG
> 36 +36 PR

Current DNSSEC debate as well as the Kaminsky spectacle pushed the dnssec
deployment to a new high.

Hallo Lutz, Du teiltest mit:

> Overview of 21314 signed zones:
> 1750 +159 Entry Point
....
>
> Top 10 TLD containing DNSSec zones:
> 686 +12 RU
> 338 +30 ARPA
> 323 +13 BR
> 262 +13 DE

Worauf beziehen sich die Differenzen?
fragt
Wolfgang

--
Nirgendwo hängt der Schulerfolg so stark von Einkommen und Vorbildung
der Eltern ab wie in D'land. Das dt. Schulsystem versagt bei der
Förderung von Arbeiter- und Migrantenkindern. (dpa/FTD 22.11.04)

On Mon, 13 Oct 2008 10:10:35 +0000 (UTC), Lutz Donnerhacke wrote:

> gigamax.fr,

There is your answer! Frogs!
--
Mommy, Daddy, can i live with you the rest of my life?
Waaaaaaaaaa!!!! i umpire but i don wanna work either.


______________
/ \
| WHAAAAAAAAAAA! |
\__ _________/
/ ,'
_.~._ /,'
,~'.~*~.`~.
/ : _..._ : \
{ :,"''\\`".: }
`C) 0 _ 0 (--.._,-"""-.__
( ) * ( ) `.
`-.-_-.-' \
,' \ / ,` ;`-._,-.
,' ,'/ ,' `---t.,-. \_
,--.,',' ,'----.__\ _( \----'
'///,`,--.,' `-.__.--' `. )
'///,' `-`

* Wolfgang Ewert wrote:
> Worauf beziehen sich die Differenzen?

Auf das letzte Posting.

* Lutz Donnerhacke:

> Top 10 TLD containing DNSSec zones:

> 224 +30 COM

Heißt "224", daß 224 COM-Domains DNSKEYs in der Zone haben, oder woran
machst Du den DNSSEC-Status fest?

Ich hatte im September einen Sweep über die Zone gemacht und kam auf
über 500 solcher Zonen.

* Florian Weimer wrote:
> * Lutz Donnerhacke:
>> Top 10 TLD containing DNSSec zones:
>> 224 +30 COM
>
> Heißt "224", daß 224 COM-Domains DNSKEYs in der Zone haben,

Ja.

> oder woran machst Du den DNSSEC-Status fest?

Primär an der existenz eines DNSKEYs. Danach an RFC 5011.

> Ich hatte im September einen Sweep über die Zone gemacht und kam auf
> über 500 solcher Zonen.

Ich bin an Ergebnissen interessiert. Eine Zugriff auf die Zone habe ich nach
wie vor nicht.

Overview of 24088 signed zones:
2621 +871 Entry Point
18673 -17 Test
15 -20 broken chain
2511 +1736 chained
0 new
268 +204 unreachable

Top 10 autonomous systems injecting DNSSec zones:
817 +817 AS9167
781 +736 AS39570
726 +40 AS25537
472 -22 AS15725
230 +230 AS25234
194 +112 AS3245
132 -15 AS1280
122 +122 AS31442
109 +109 AS13647
89 -2 AS22548

Top 10 TLD containing DNSSec zones:
1987 +1851 SE
724 +38 RU
503 +279 COM
452 +452 CZ
357 +34 BR
333 +71 DE
210 +25 ORG
209 -129 ARPA
188 +106 BG
81 -5 NET

866 (+840) weak keys:
Top 10 weak keys:
817 SE
30 COM
8 FR
2 NET
2 DE
2 ORG
1 ARPA
1 EDU
1 CA
1 BIZ

15 (-20) broken DS chains:
infoweapons.dnsops.biz, xelerance.dnsops.biz, kobayashi.eti.br
rafaeljusto.eti.br, tjam.jus.br, tjmsp.jus.br, tjmt.jus.br, trt6.jus.br
gransy.cz, llnl.dnsops.gov, opm.dnsops.gov, ornl.dnsops.gov
secstate.dnsops.gov, bitstring.se, xelerance.se

21 (+3) parent DS to unsigned zones:
tuxstrike.sec3.br, steiner-pluesch.de, n.dnssec.netsec.colostate.edu
s.dnssec.netsec.colostate.edu, nihsec.dnsops.gov, noaa.dnsops.gov
secure.hardakers.net, julia-art.ru, minm.ru, olimpicvillage.ru, poing.ru
polzi.ru, prcenter-news.ru, salondiana.ru, xsochi.ru, klan-csa.se
kristianstadpower.se, mirall.se, shadowartworks.se, umdac.se
xn--botsmarksdck-pcb.se

522 (+460) unnecessary islands:
Top 10 unnecessary islands:
385 SE
45 BG
31 ARPA
31 GOV
13 BR
8 CZ
4 ORG
2 CH
1 COM
1 GR

268 (+204) unreachable zones:
Top 10 unreachable zones:
172 CZ
60 SE
11 RU
4 GOV
4 COM
2 PR
2 EDU
2 NET
2 DE
2 BR


--
Detailed list: https://www.iks-jena.de/leistungen/dnssec.php