I keep seeing a claim that something like 10% of DNS requests are signed with DNSSEC, but that's an awfully hard number to square with the top sites on the Internet, virtually none of whom are DNSSEC-signed. Reconcile for us, please?
"signed with DNSSEC" is an ambiguous statement. You need to take into account that, while nameservers may enable DNSSEC, resolvers may:
(a) validate (include the AD bit) but strip the RRSIGs (i.e. regular DNSSEC resolver)
(b) omit the AD bit but include the RRSIGs (i.e. you have to validate yourself)
(c) omit the AD bit and omit the RRSIGs (i.e. regular non-DNSSEC resolver)
(d) validate (i.e. include the AD bit) and include the RRSIGs (i.e. alleluia!)
My own study [0] (using the Atlas network [1]) found 30% of resolvers doing (a), and 65% doing (b), including some overlap. There are people way more qualified than me doing this kind of stuff, namely APNIC's Geoff Huston, see [2] for instance.
Hmm... I'm not sure where you are seeing that claim that 10% of DNS requests are signed with DNSSEC. I've certainly promoted the statistic that 10-12% of DNS requests are performing DNSSEC validation - and that is based on Geoff Huston's DNSSEC validation metrics out of APNIC - see: http://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&g... (although the measurement seems broken for the past few days)
