Did you know that over 50% of .CZ domains are now signed with DNS Security Extensions (DNSSEC)? Or that over 2.5 million .NL domains and almost 1 million .BR domains are now DNSSEC-signed? Were you aware that around 80% of DNS clients are now requesting DNSSEC signatures in their DNS queries? And did you know that over 100,000 email domains are using DNSSEC and DANE to enable secure email between servers?

These facts and many more are available in a new report published by the Internet Society: State of DNSSEC Deployment 2016

While many separate sites provide DNSSEC statistics, this report collects the information into a series of tables and charts that paint an overall picture of the state of DNSSEC deployment as of December 2016.

As the report indicates, there has been steady and strong growth in both the statistics around DNSSEC signing and validation—and also in the number of tools and libraries available to support DNSSEC. It also discusses the growth of DANE usage (DNS-based Authentication of Named Entities), particularly for securing email communication.

That growth, though, is not evenly distributed.

In some parts of the world, particularly in Europe, there is solid growth in both DNSSEC signing and validation. In other parts of the world, the numbers are significantly lower.

Similarly, while some country-code top-level-domains (ccTLDs) such as .CZ, .SE, .NL and .BR are seeing high levels of DNSSEC signing of second-level domains, other ccTLDs are just beginning to see DNSSEC-signed domains. And among the other TLDs, some such as .GOV have almost 90% of their second-level domains signed, while .COM has under 1% signed.

The report dives into all this and more. Beyond statistics, the document explores some of the current challenges to deployment of DNSSEC and provides a case study. It also includes many links to further resources for more exploration.
Creating a report of this level involves a great number of people. I’d like to thank all the members of the DNS / DNSSEC community who provided data, reviews, proofreading and other support.

Our intent is that this will be an annual report where we can look back and see what has changed year-over-year. Our target now is for the 2017 report to be delivered at the DNSSEC Workshop at ICANN 60 in November. To that end, I would definitely welcome any comments people have about what is in the report and what people find useful and helpful. I’d also welcome comments about anything we may have missed.
Please do read and share this report widely. We’d like people to understand the current state of DNSSEC deployment—and how we can work together to accelerate that progress. On that note, if you want to get started with DNSSEC for your own network or domains, many resources are available to help.

P.S. an audio commentary is also available on this topic for those interested in listening to me talk about this topic.