Overview

The following DNSSEC deployment statics come from the work of Viktor Dukhovni (Two Sigma), published by Wes Hardaker (USC/ISI) as part of the DNSSEC-Tools project.

Note: click on column names to sort the table.

Last Updated: Sun May 19 04:47:03 2019

Summary Statistics

The current numbers from the DANE/DNSSEC survey are:

Total number of DS Resource Record Sets:
9725039
Total number of working DNSKEYs:
9522607

DNSSEC Trend Graphs

The following graph depicts the number of signed delegations from public suffix list domains in our dataset.

DANE Trend graphs

Domains with signed MX and DANE records

The following graph depicts the number of domains that have deployed DANE/SMTP. Specifically, their zone is signed, their MX records all point to hosts that have DANE TLSA records.

Zones Hosting DANE Mail Servers

Many of the domains in the previous graph outsource or aggregate their mail servers such that the MX records point to out-of-domain mail servers (i.e. externally hosted mail servers). This graph depicts the number of mail servers that have DANE records deployed for them.

DNSSEC Deployment Statistics

The following tables summarize the deployment size and states of various DNSSEC parameters.

Parameter frequency

DNSKEY parameter frequency (1000 or more instances), by zone count:

KSK

kskalgsflagsprotoalg
487425733
26770225735
222169925737
410597125738
236280257310
2630699257313
61907257314

ZSK

zskalgsflagsprotoalg
487525633
2571325635
220604825637
403912925638
236115256310
1397193256313
61003256314

RSA key size distribution

RSA key size distribution (1000 or more instances), by zone count:

KSK

kskdomainsbits
697154096
51551342048
2860811536
37001280
13147641024
7289512

ZSK

zskdomainsbits
142844096
4955092048
2909971280
60716221024
7051512

RSA exponent distribution

domainsexponent
6820641\x010001
11371\x0100000001
418\x03
77\xff39
34\x40000003
19\xffff

Breakdown by TLD of secure delegations

This table shows the number of delegations with DS records (and thus indicating the subzone is signed). The table also shows the number of succesful DNSKEY lookups for domains under the given TLD, meaning the number of zones that the DNSKEYs within the subzone could be both retrieved and verified as authentic with DNSSEC. Note that reasons failure include both failures in DNS itself for the subzone (e.g. no reachable name servers) or because DNSSEC validation of the results failed.

(Only TLDs are considered where the number of securely delegated subzones is greater than 999)

TLDworkingtotal-DS%working
boston95169516100.00
bible11711171100.00
br52173352196199.96
xn--j6w193g3110311299.94
hk170341705199.90
is2283228699.87
mx163621639399.81
one139661399599.79
de20006420051799.77
lu1485149099.66
ovh212312130799.64
fr41090541252299.61
paris2835284799.58
app464464668099.50
art1897190799.48
nl3124782314395299.39
re3403342499.39
no37865338103399.38
be28233528438099.28
hu12303812410399.14
pro2237225799.11
ee1988200699.10
ch840988490699.05
tv3678371499.03
studio1192120499.00
today1045105698.96
cz69474970239098.91
agency1400141698.87
cloud5477554198.84
dev139881415398.83
bzh1520153898.83
it4317437098.79
pt118061195798.74
immo1669169198.70
se74362375370698.66
gov1170118698.65
biz203292060898.65
eu48029548698698.63
blog995100998.61
bank2682272098.60
io157761601498.51
design1270129098.45
info436344432498.44
amsterdam4948502798.43
network1124114298.42
me105401071998.33
nu10496410682198.26
org11018111216398.23
tech4220430198.12
cc1720175498.06
net15069815385297.95
nz1132115697.92
mobi1222124897.92
com1190705121622597.90
online8739892797.89
world2022206797.82
dk253572592897.80
kr3955404797.73
us8497869597.72
fi4019412197.52
nrw2243230097.52
at7318750697.50
lv3500359097.49
li1380142197.11
store3108320297.06
es183881895397.02
email2239231096.93
co8063832396.88
club2296237296.80
pl45355146916296.67
ca4009414796.67
uk356243686696.63
xyz7191746796.30
space1603166896.10
site2590270695.71
frl3708387595.69
au1449153794.27
ro1156122994.06
in3075327293.98
ru3124334293.48
shop105981155391.73

Thank you to data contributors!

We thank the following organizations that have submitted data that helped make these statistics possible: