[dns-operations] Some DNSSEC adoption data points, anyone know of more comprehensive surveys?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Apr 30 05:23:49 UTC 2018

I was looking around for DNSSEC-adoption statistics that might be more comprehensive than what I've gathered as a side-effect of the DANE-adoption survey, but so far I am just finding significantly smaller numbers, so I decided to post some numbers below.  If anyone is aware of broader surveys that reach higher totals, I'd like to know where my gap lies.

  Total secure delegations from public-suffix domains:  5,906,891

The top 10 suffixes with DNSSEC-delegated subdomains are:

  1417555 .nl
   892186 .se         -- based on full zone access
   874038 .com        -- based on full zone access
   420095 .fr	      -- based on 30-day old opendata.fr name list
   340503 .no
   304801 .cz
   301306 .eu
   230590 .com.br
   150053 .nu         -- based on full zone access
   131356 .be

Many of the domains are likely parked, so lookup failure may not matter, in
any case ~2.0% don't return validated DNSKEY RRsets:

  Delegations where the DNSKEY RRset validates:         5,787,259

Of domains with a valid DNSKEY RRset MX lookups very rarely fail
to return either a non-empty signed RRset or working denial of

  Secure MX RRsets at delegated zone apex:              5,786,858

With just 401 (0.007%) MX lookup failures for domains with a working

An additional 158,170 child domains of public suffixes have valid DNSSEC-signed MX records by virtue of being served out of the parent zone rather than delegated.  This makes DANE for SMTP possible in principle for 5,945,028 domains of which at last scan 205,396 (3.4%) have TLSA records for at least all the primary MX hosts, and only 1409 of those domains fail to have TLSA records for some secondary MX hosts.

The top 10 public suffixes serving non-delegated domains are:

  116074 de
   14362 info
    9394 at
    6481 pw
    2958 in
    1047 uk
    1012 ma
     881 jp
     862 lk
     791 mobi


More information about the dns-operations mailing list