Overview

The following DNSSEC deployment statics come from the work of Viktor Dukhovni (Two Sigma), published by Wes Hardaker (USC/ISI) as part of the DNSSEC-Tools project.

Last Updated: Sat Feb 23 04:47:03 2019

Summary Statistics

The current numbers from the DANE/DNSSEC survey are:

Total number of DS Resource Record Sets:
9379114
Total number of working DNSKEYs:
9218260

DANE Trend graphs

Domains with signed MX and DANE records

The following graph depicts the number of domains that have deployed DANE/SMTP. Specifically, their zone is signed, their MX records all point to hosts that have DANE TLSA records.

Zones Hosting DANE Mail Servers

Many of the domains in the previous graph outsource or aggregate their mail servers such that the MX records point to out-of-domain mail servers (i.e. externally hosted mail servers). This graph depicts the number of mail servers that have DANE records deployed for them.

DNSSEC Deployment Statistics

The following tables summarize the deployment size and states of various DNSSEC parameters.

Parameter frequency

DNSKEY parameter frequency (1000 or more instances), by zone count:

KSK

kskalgsflagsprotoalg
498125733
26026225735
220317725737
406228125738
225143257310
2410793257313
62187257314

ZSK

zskalgsflagsprotoalg
498125633
2590925635
218893525637
399665225638
224988256310
1319077256313
61289256314

RSA key size distribution

RSA key size distribution (1000 or more instances), by zone count:

KSK

kskdomainsbits
693404096
50718932048
2982771536
33401280
13057551024
7576512

ZSK

zskdomainsbits
132064096
1101252048
3062451280
60887511024
8105512

RSA exponent distribution

domainsexponent
6739904\x010001
12405\x0100000001
428\x03
48\xff39
34\x40000003
19\xffff

Breakdown by TLD of secure delegations

This table shows the number of delegations with DS records (and thus indicating the subzone is signed). The table also shows the number of succesful DNSKEY lookups for domains under the given TLD, meaning the number of zones that the DNSKEYs within the subzone could be both retrieved and verified as authentic with DNSSEC. Note that reasons failure include both failures in DNS itself for the subzone (e.g. no reachable name servers) or because DNSSEC validation of the results failed.

(Only TLDs are considered where the number of securely delegated subzones is greater than 999)

TLDworkingtotal-DS%working
xn--j6w193g2854285599.96
hk172471725499.96
br52245052268299.96
one138481386799.86
is2156215999.86
mx164081644699.77
de20243820291599.76
app415544166299.74
ovh211502121999.67
lu1098110399.55
fr40105340299699.52
re3482349999.51
art1785179499.50
paris2821283699.47
bzh1473148199.46
nl3081496310044499.39
pro1762177499.32
no37938438210799.29
be26492526690999.26
hu12342012437499.23
gov1156116799.06
studio1135114699.04
tv3459349598.97
cloud4857490998.94
immo1661167998.93
agency1291130698.85
cz64560765311698.85
ch675156830598.84
biz199382019398.74
se72927973889798.70
eu48754349399398.69
ee1677170098.65
tech3859391398.62
info418674246498.59
bank2671271098.56
pt118371201098.56
network995101098.51
io153191555098.51
amsterdam5165524398.51
design1180119898.50
world1826185598.44
online8128826198.39
me9832999498.38
nu9937610102698.37
org10239710418798.28
nz1070108998.26
store2927298298.16
mobi1116113798.15
cc1431145898.15
us7947811497.94
net14233414537197.91
kr3674375797.79
com1072587109722697.75
dk239292449297.70
site2233228897.60
fi3511360197.50
at6386656197.33
it1849190297.21
uk345723563897.01
email2058212296.98
club2048211496.88
ca3315342296.87
li1169120896.77
es178311846196.59
pl44629946245296.51
co6263649596.43
shop115361198896.23
frl3930409495.99
xyz6747703095.97
space1352140995.95
lv3389354895.52
ro1024108694.29
au1257133993.88
in2842303193.76
ru2870309992.61
nrw2242246490.99

Thank you to data contributors!

We thank the following organizations that have submitted data that helped make these statistics possible: