Category: Statistics

Over 50% of .CZ domains now signed with DNSSEC!

CZ domain statisticsCongrats to the team at CZ.NIC and to Internet users within the Czech Republic – the number of .CZ domains signed with DNSSEC just passed over the 50% mark! It’s great to see so many businesses, organizations and individuals using .CZ domains now receiving the higher level of trust that comes with DNSSEC signatures.

CZ.NIC’s Ondrej Filip spread the news yesterday in a tweet:

This milestone fits well with other European country code top-level domains (ccTLDs) that also have significant signing of second-level domains, including: Norway’s .NO (58.2%), Sweden’s .SE (also 51.3%), the Netherland’s .NL (45%).

Congrats to Ondrej and the whole team at .CZ for achieving this milestone! Now on to the remaining 48.7%…  🙂

If you want the higher level of trust that comes with signing your domain with DNSSEC, please visit our “Start Here” page to find resources to help you begin!

Google Stats Now Showing Over 8% IPv6

A nice way to end a Friday afternoon… I happened to look at Google’s IPv6 statistics for the first time in a while and see that they’ve climbed up over 8%!

Google IPv6 statsWe’ve kind of stopped celebrating each individual percentage point because the reality is the graph just keeps on going up and to the right in the direction we want!

Still, this was a nice way to end the work week.  Looking forward to celebrating a bit more when they hit 10%!

P.S. As the graph shows, IPv6 at this point is on the trajectory where it is just going to happen … if you haven’t already started figuring out what to do, please do look at our Start Here page to understand how you can get started transitioning your networks, devices and applications to make sure they’re ready!

Swisscom Doubles IPv6 Deployment – Verizon Wireless Hits 70% IPv6

Some great news for IPv6 advocates in the latest August 2015 World IPv6 Launch measurements. As our colleague Mat Ford writes, Swisscom doubled their deployment over the past few months to near 40%!

Swisscom IPv6 statistics

Meanwhile, Verizon Wireless continues its steady climb to where the sites measuring activity are now seeing 70% IPv6 deployment from Verizon’s network:

Verizon Wireless IPv6

It continues to be fun to watch this trend line grow up and to the right!

Many more statistics are available at the World IPv6 Launch measurements page. As Mat notes, Telekom Malaysia entered the top ten networks based on the methodology used (see the bottom of the page to learn more).  Congrats to the folks there in Malaysia for making this happen!

If you want to expand your IPv6 efforts, please visit our Start Here page to find resources to help!

And if you are a network operator with IPv6 deployed, why not sign up to join into the World IPv6 Launch measurements effort?  It’s free to you and it will help us continue to understand and measure the transition to IPv6!

Congratulations to Argentina On DNSSEC-Signing of .AR!

Congratulations to Argentina on becoming the latest country to sign their country-code top-level-domain (ccTLD), with DNSSEC!  Today we are very pleased to update our DNSSEC Deployment Maps and give Argentina a shade of green for .AR!  Here’s how the maps looked between last Monday and today:

Argentina and DNSSEC

Awesome to see!

And obviously perfect timing for the ICANN 53 meeting next week in Buenos Aires where we’ll be talking all about DNSSEC at numerous sessions!

Congratulations to the whole team at NIC.AR for making this happen. Now all the people who register domains underneath .AR will at least have the possibility of adding the layer of security and trust that DNSSEC can provide. They will also be able to potentially use DANE and other new innovations that build upon DNSSEC.

The next step, of course, is for the registrars and DNS hosting providers who support .AR domains to allow registrants to use DNSSEC.  But that wouldn’t be possible without this first step of signing the .AR ccTLD.

Congrats and we’re looking forward to celebrating with the NIC.AR team in Buenos Aires!

P.S. If you would like to get started with DNSSEC, please visit our Start Here page to learn how to begin!   And if you would like to receive our weekly DNSSEC deployment maps, we have information about how you can subscribe.

Verizon Wireless Nears 70% IPv6, AT&T Crosses 50%, More…

The latest World IPv6 Launch measurements are out for May 15 and as my colleague Mat Ford explains in a blog post, there’s a lot of great momentum happening! My attention was drawn to the fact that Verizon Wireless is at 69.1%… at their current rate they should cross over 70% by next month:

Verizon Wireless IPv6 measurements

As Mat noted, AT&T broke through the 50% IPv6 mark this month and has the kind of growth chart you love to see:


Looking at the May measurements, T-Mobile USA also continues their solid growth as do Comcast, Time Warner Cable and Telefonica del Peru.

Mat’s post also dives into some of the newer entrants such as Saudi Arabia’s Saudi Telecom Company.

All around great news to see!  IPv6 deployment is happening! :-)

If you’ve started deploying IPv6 in your network, why not sign up to have your network counted in the measurements?  It’s free and you’ll help the global technical community gain more insight into the true status of IPv6 deployment.

And if you haven’t started with IPv6 yet, please do visit our Start Here page to find resources to get going!  The time is now!

Another Great DNSSEC Statistics Site For Second-Level Domains –

Want to know how many domains are signed with DNSSEC under each top-level domain (TLD)?  We now have another site to help!  For over a year now, every week I use a great site that Rick Lamb maintains at:

so that I can find out what new domains I need to add to our DNSSEC Deployment Maps database. By default he shows a reverse-chronological list of all the TLDs that are signed.


… if you look over on the right side Rick has added something new!  Two new columns labeled “% Signed” and “Misc”.  These show you:

  • The percentage of total domains that are signed with DNSSEC;
  • The raw numbers of signed domains / total domains.

What’s very cool is that you can click on each heading to sort the columns. Click once to sort from lowest to highest. Click once more to sort from highest to lowest.

This second sort is where it gets interesting.

With the “% Signed” you have to scroll down a bit because of course brand new TLDs that only have one domain (often nic.TLD) and also have that domain signed score 100%.  But as you go down the list it starts to get more interesting.  Here’s a view part of the way down:

DNSSEC Statistics

What I find MUCH more interesting, though, is the raw numbers showing the number of DNSSEC-signed domains.  Click on the “Misc” heading cell twice and you get something like this:

DNSSEC stats

That shows us that .NL has the most with 2.4 million domains signed followed by .COM with 491 thousand domains and then .CZ, .SE and onwards.

What you will notice that is different here from the ntldstats DNSSEC stats site I wrote about last week is that Rick’s site pulls in data from some of the country-code TLDs (ccTLDs) and also some of the original generic TLDs (gTLDs) such as .COM, .NET, etc.    The ntldstats site is (understandably) only about the “new gTLDs” whereas Rick’s site covers the wider range of TLDs.

Notice that I said “some” of the ccTLDs and gTLDs.  Rick can only incorporate data from TLDs that provide some kind of feed he can use.  If you scroll on down the list you’ll see that there are TLDs there that have no numbers next to them:

DNSSEC stats

However, we know from NIC.BR’s statistics page that .BR has 747,000 domains signed with DNSSEC, which would move it into the second position above .COM in the listing.  Similarly .ORG has many signed domains, too.

Over time hopefully we can get these other TLDs to offer statistics feeds in a way that sites like Rick’s can consume them and help provide a more solid view of overall DNSSEC deployment.

Meanwhile, it’s fantastic that Rick has made these updates to his site and it is a great service to the larger Internet community that he maintains this info. (Thanks, Rick!)

I’m looking forward to seeing these numbers grow!

P.S. If you’d like to help these numbers grow, why not head over to our Start Here page and find out how can get started with signing your domains with DNSSEC?

nTLDStats Adds DNSSEC Statistics for New Generic Top-Level Domains (newgTLDs)

Hooray! The folks over at nTLDstats have now added a new tab that lets you see which of the 100s of new generic top-level domains (newgTLDs) are seeing the most second-level domains signed with DNSSEC. You can see the stats at:

Here is a view of how it looks right now:

newgTLD DNSSEC stats

The site shows a number of interesting stats, including:

  • the percentage of newgTLDs with signed second-level domains in them (60.80% at the time I write this)
  • the number and percentage of signed zones as it relates to the overall number of registered domains within the newgTLDs
  • the number of zones (of those signed) that failed DNSSEC validation (indicating a configuration issue)
  • a trend line over time
  • the distribution of signed domains across the number of newgTLDs
  • breakdowns of signed domains by both newgTLD and also by registrar

While the overall number of signed domains today within the 5.2 million domains registered in the newgTLDs is a very small 0.95%, we now have a very easy way to see where DNSSEC signing is being actively used – and a way to measure which of the newgTLDs and also registrars are doing the most to support DNSSEC deployment.

I was intrigued to see that the leader of the newgTLDs is the .OVH TLD sponsored by a French hosting provider, OVH, with Afnic providing the back-end registry. According to their site, the OVH domain started as an April Fool’s joke in 2009 and then became a reality due to the interest.  Clicking through to their registrar site (they are apparently the only registrar for the .OVH domain), you can see why they have so many domains signed – they have a “Activate DNSSEC on this extension!” link directly on their registration page!

Looking at the Registrar Breakdown column, the OVH registrar leads in the number of DNSSEC-signed newgTLDs, presumably because they are again offering DNSSEC-signing to anyone who uses them for DNS hosting, regardless of what newgTLD they register under.

I was also curious as to why “.paris” was the second-highest newgTLD with 2,347 signed domains, but the probably answer could be quickly found by clicking through to the .paris page. It shows the top 2 registrars as “Gandi SAS” and “OVH sas”… my guess would be that many/most of the 2,347 signed domains could come from the 4,000 domains registered by OVH, given that they are actively promoting DNSSEC.

Another interesting element of this new page is that you can change the slider underneath the trend line to see more stats over time.  By moving the slider all the way to the left you can get a view of the trend in the newgTLDs:

dnssec signing trend chart

There’s a huge jump in October 2014.  Given the other stats and the information on the OVH web site, my guess would be that this was a result of the launch of the .OVH newgTLD.

Anyway… there’s probably a lot more we can learn from exploring the statistics in this way.  The key point is that now there is a very easy-to-use web interface that lets us track and be able to show which of the newgTLDs are doing the most to provide registrants the security provided by DNSSEC.  I’d note that this is all possible because all of the new gTLDs are required by ICANN to submit their zone files to the Centralized Zone Data Service (CZDS), allowing sites like nTLDstats to query the CZDS and build views such as these.

Kudos to the nTLDstats team for adding this page!  I will be adding it to our DNSSEC Statistics page and look forward to using it over time.

P.S. Want to get started with signing your domain?  Visit our Start Here page to learn how!

Over 600 Top-Level Domains Now Signed With DNSSEC

As I was entering in data for the weekly DNSSEC Deployment Maps, I was struck by the fact that we are now at the point where 615 of the 793 top-level domains (TLDs) are now signed with DNSSEC. You can see this easily at Rick Lamb’s DNSSEC statistics site:

DNSSEC statistics

This represents 77% of all current TLDs!

Now, granted, most of that amazing growth in the chart is because all of the “new generic TLDs” (newgTLDs) are required to be signed with DNSSEC, but we are still seeing solid growth around the world.  If you look at the most recent DNSSEC Deployment Maps you can see that much of the world is being shown as “green” as more and more country-code Top Level Domains (ccTLDs) sign with DNSSEC:

ccTLD dnssec deployment map

Of course, having a TLD signed doesn’t mean that the second-level domains will be signed with DNSSEC. As various DNSSEC statistics sites will show, the percentage of signed second-level domains varies widely, from around 80% in .GOV down to tiny percentages in other TLDs.

BUT… the key point is that the first step in signing your domain is to be sure that your TLD is signed!

After the TLD has been signed, THEN steps can be taken to get more DNSSEC deployment happening underneath that TLD.  Look at how successful Norway has been with .NO after they recently signed the domain!

With some of the work that is happening via various DNSSEC Workshops,  ICANN’s DNSSEC training and other forums I know that we’ll see more and more of the TLDs being signed in the months ahead.  The excuse that “TLDs are not signed with DNSSEC” can no longer be used as an excuse for NOT working with DNSSEC and DANE!

Great to see!

P.S. If you want to get started with DNSSEC, please visit our Start Here page to find resources to help you begin.

BT Releases Results of 2014 DNSSEC Survey

BT-Diamond-IP-2014-DNSSEC-SurveyBT Diamond IP just published the results of their 2014 DNSSEC survey and the report is available for all to download for free.  Back in October, I’d encouraged people to take the survey to help gain an understanding of DNSSEC deployment and BT’s Tim Rooney noted in his post about the survey that this year there was a high amount of participation by people who had already deployed DNSSEC:

Clearly this year’s survey attracted active deployers of DNSSEC, which contrasts sharply with the 2012 survey where less than 25 percent of respondents had already deployed or were actively deploying DNSSEC validation and signing.

In fact, the way I read his tables on page 4 over 60% of respondents had deployed DNSSEC and another 10% were in the process of doing so.  Not exactly representative of the overall industry! (Unfortunately)  Still, though, I think the report provides useful insight into DNSSEC deployment from the point of view of people who have deployed the technology.  (By the way, we did write about the 2012 report back when it came out.)

Tim also relays these highlights of the 2014 report:

  • Nearly all respondents agreed with the statement that DNSSEC can or does provide value to their organization and over 85 percent likewise agreed that DNSSEC technology is mature and can be reliably deployed.
  • Forty-seven percent of respondents agreed that deploying and maintaining DNSSEC is very complex, 12 of the 47 percent strongly. Only 22 percent disagreed. This is rather telling in that DNSSEC is not only considered complex to the uninitiated, but that experience shows this to be the case.
  • Nearly half of respondents disagreed with the statement that only external (Internet-facing) zones need be signed, while 28 percent agreed with the statement. This majority position debunks the theory that internal name spaces are of little concern when it comes to DNSSEC.
  • Only 20 percent of respondents agreed that dedicated hardware security module (HSM) appliances or cards are required to store private keys.
  • Over 75 percent of respondents assign their DNS groups as responsible for DNSSEC implementation and management, sometimes alone or often in conjunction with other groups. It’s interesting to note that about 25 percent of respondents do not involve the DNS group in the process!
  • As an industry, simplifying the deployment process to reduce complexity and therefore costs to some degree could help spur further DNSSEC deployments.

I’ll definitely agree with his last point about reducing complexity and that’s something that I know we and others within the industry continue to champion … any way that we can add more automation or make the user experience simpler will go far to help advance DNSSEC deployment.

I found a number of the other charts quite interesting such as the reasons for NOT deploying DNSSEC as well as those about what software was being used.  All in all I think the report is a useful contribution to the ongoing discussions around DNSSEC.  I’d like to see more of these type of surveys so that we can continue to build out a picture of DNSSEC deployment as well as the challenges that need to be addressed.

Thanks to Tim Rooney and the others at BT Diamond IP for compiling this survey!


Congratulations To .NL For Passing 2 Million DNSSEC-Signed Domains

Congratulations to the team at SIDN and all the .NL registrars and DNS hosting providers for the fact that there are now 2 million .NL domain names secured by DNSSEC!  Yesterday as the SIDN team apparently became aware that a large registrar/DNS hosting provider was going to be signing .NL domain names, Kees Monshouwer set up a website that showed an ongoing countdown to when they projected passing the 2 million DNSSEC-signed domain mark.  If you go there now, of course, you see that they’ve passed 2 million domains:


But yesterday the countdown was underway:


It was fun to watch yesterday from time to time… and a definite congratulations to the teams at all the various organizations.

As the news announcement from SIDN (in Dutch) explains, this represents over 36% of the 5.5 million .NL domains now secured with DNSSEC!  The announcement also explains a bit about how this was accomplished.  SIDN, the operator of the .NL registry, offered a financial incentive where .NL domain names are less expensive if they are signed with DNSSEC.  Given that incentive, a number of large registrars who also do DNS hosting set up their DNS systems to do bulk signing of the .NL domain names.  The end result is that their customers are now getting the added security of DNSSEC without the customers needing to do anything more.

This model may or may not work for other top-level domain (TLD) registries, but it certainly has worked well for .NL.  The tweets were fun to see today – among them:


Congrats again… and if YOU want to get started with signing your domain (from whatever TLD), please take a look at our Start Here page to find resources available to you!