Home / Blogs

New Report on “State of DNSSEC Deployment 2016” Shows Continued Growth

Did you know that over 50% of .CZ domains are now signed with DNS Security Extensions (DNSSEC)? Or that over 2.5 million .NL domains and almost 1 million .BR domains are now DNSSEC-signed? Were you aware that around 80% of DNS clients are now requesting DNSSEC signatures in their DNS queries? And did you know that over 100,000 email domains are using DNSSEC and DANE to enable secure email between servers?

These facts and many more are available in a new report published by the Internet Society: State of DNSSEC Deployment 2016

While many separate sites provide DNSSEC statistics, this report collects the information into a series of tables and charts that paint an overall picture of the state of DNSSEC deployment as of December 2016.

As the report indicates, there has been steady and strong growth in both the statistics around DNSSEC signing and validation—and also in the number of tools and libraries available to support DNSSEC. It also discusses the growth of DANE usage (DNS-based Authentication of Named Entities), particularly for securing email communication.

That growth, though, is not evenly distributed.

In some parts of the world, particularly in Europe, there is solid growth in both DNSSEC signing and validation. In other parts of the world, the numbers are significantly lower.

Similarly, while some country-code top-level-domains (ccTLDs) such as .CZ, .SE, .NL and .BR are seeing high levels of DNSSEC signing of second-level domains, other ccTLDs are just beginning to see DNSSEC-signed domains. And among the other TLDs, some such as .GOV have almost 90% of their second-level domains signed, while .COM has under 1% signed.

The report dives into all this and more. Beyond statistics, the document explores some of the current challenges to deployment of DNSSEC and provides a case study. It also includes many links to further resources for more exploration.
Creating a report of this level involves a great number of people. I’d like to thank all the members of the DNS / DNSSEC community who provided data, reviews, proofreading and other support.

Our intent is that this will be an annual report where we can look back and see what has changed year-over-year. Our target now is for the 2017 report to be delivered at the DNSSEC Workshop at ICANN 60 in November. To that end, I would definitely welcome any comments people have about what is in the report and what people find useful and helpful. I’d also welcome comments about anything we may have missed.
Please do read and share this report widely. We’d like people to understand the current state of DNSSEC deployment—and how we can work together to accelerate that progress. On that note, if you want to get started with DNSSEC for your own network or domains, many resources are available to help.

P.S. an audio commentary is also available on this topic for those interested in listening to me talk about this topic.

By Dan York, Author and Speaker on Internet technologies - and on staff of Internet Society

Dan is the Director, Online Content, for the Internet Society but opinions posted on CircleID are his own. View more of Dan’s writing and audio here.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign