[dns-operations] January 2019 DNSSEC stats

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jan 31 21:31:45 UTC 2019

[ With credit due to Paul Vixie of Farsight Security for supporting
  this survey with ongoing data snapshots that help to significantly
  improve the survey's coverage.  Also of course ICANN for the gTLD
  data via CZDS and data contributions from the TLD registries for
  .CH, .COM, .DK, .INFO, .IS, .NAME, .LI, .NL and .ORG and open access
  for .FR, .NU and .SE.  More data sources of ccTLD signed delegations

  With help with Wes Hardaker, the data in this report are updated
  daily at <http://stats.dnssec-tools.org/>. ]
The January 2019 numbers from the DANE/DNSSEC survey are:


    Total DS RRsets:                9,253,303
    Validatable apex DNSKEY RRsets: 9,107,865

The second of these crossed 9 million for the first time today.
The in progress migration mentioned last month is almost, but not
yet done, so I expect another O(100k) bump once the re-signed domains
are back.

The DANE numbers are substantially higher, with DANE TLSA records
present for the MX hosts of ~1.067 million domains:


Also for the first time this month, the number of ECDSA P256
(algorithm 13) KSKs has edged ahead of the number of algorithm 7


I also want to mention some early signs of DNSSEC adoption by
Google's email servers:


though these were already signed back in late September 2018, I
only recently noticed that these are alternative names for the usual
relays handling Gmail and corporate customer email.  Though there
are as yet very few signed customer domains with as their MX hosts,
this opens the door to progress towards inbound DANE for Google-hosted


More information about the dns-operations mailing list