Overview

The following DNSSEC deployment statics come from the work of Viktor Dukhovni (Two Sigma), published by Wes Hardaker (USC/ISI) as part of the DNSSEC-Tools project.

Last Updated: Fri Dec 14 04:47:02 2018

Summary Statistics

The current numbers from the DANE/DNSSEC survey are:

Total number of DS Resource Record Sets:
8717130
Total number of working DNSKEYs:
8597321

DANE Trend graphs

Domains with signed MX and DANE records

The following graph depicts the number of domains that have deployed DANE/SMTP. Specifically, their zone is signed, their MX records all point to hosts that have DANE TLSA records.

Zones Hosting DANE Mail Servers

Many of the domains in the previous graph outsource or aggregate their mail servers such that the MX records point to out-of-domain mail servers (i.e. externally hosted mail servers). This graph depicts the number of mail servers that have DANE records deployed for them.

DNSSEC Deployment Statistics

The following tables summarize the deployment size and states of various DNSSEC parameters.

Parameter frequency

DNSKEY parameter frequency (1000 or more instances), by zone count:

KSK

kskalgsflagsprotoalg
467725733
25988725735
218880525737
402806725738
201770257310
1852231257313
61459257314

ZSK

zskalgsflagsprotoalg
467725633
3267525635
217563925637
396364625638
201553256310
812692256313
60534256314

RSA key size distribution

RSA key size distribution (1000 or more instances), by zone count:

KSK

kskdomainsbits
679824096
49933812048
3049581536
31891280
13082131024
8007512

ZSK

zskdomainsbits
132064096
1101252048
3062451280
60887511024
8105512

RSA exponent distribution

domainsexponent
6667335\x010001
12580\x0100000001
438\x03
47\xff39
34\x40000003
19\xffff

Breakdown by TLD of secure delegations

This table shows the number of delegations with DS records (and thus indicating the subzone is signed). The table also shows the number of succesful DNSKEY lookups for domains under the given TLD, meaning the number of zones that the DNSKEYs within the subzone could be both retrieved and verified as authentic with DNSSEC. Note that reasons failure include both failures in DNS itself for the subzone (e.g. no reachable name servers) or because DNSSEC validation of the results failed.

(Only TLDs are considered where the number of securely delegated subzones is greater than 999)

TLDworkingtotal-DS%working
xn--j6w193g23682368100.00
br49177449199599.96
hk155981560899.94
is2064206799.85
mx165131655099.78
app383243841599.76
ovh213212139499.66
art1728173499.65
studio1036104199.52
immo1620162899.51
bzh1451145999.45
de887828927899.44
paris2807282399.43
fr40383240623899.41
nl3062236308120799.38
no38407738664099.34
pro1498150999.27
re3635366299.26
hu11972212064499.24
agency1218122899.19
cz58897459500698.99
ch616736230998.98
eu48666649199998.92
be15347715521098.88
tv3274331198.88
cloud4116416398.87
ee1560157898.86
biz197662001898.74
world1765178898.71
online7792789998.65
se58841559664498.62
info386753922298.61
mobi1110112698.58
fi3364341398.56
bank2652269198.55
tech3664371898.55
pt120071218798.52
one1089110698.46
gov1144116298.45
io138401407598.33
org9842310015398.27
cc1356138098.26
me9107927398.21
nu940879580698.21
design1088111098.02
store2763281998.01
nz1031105298.00
net13032313314697.88
us7449761297.86
li1095111997.86
kr3786386997.85
amsterdam5149527497.63
dk226492320497.61
com94908797255997.59
at6268643397.44
it1595164097.26
club1891194597.22
uk321863313197.15
space1265130397.08
email1942200197.05
site2004206996.86
ca2802290196.59
pl45018246629096.55
shop110921149096.54
es169061752496.47
xyz6411666496.20
co5497571896.14
lv3353351695.36
frl3929413894.95
au1193126194.61
ro951100694.53
in2637281493.71
ru2619286791.35
nrw2217247189.72