What do these numbers mean?

This experiment attempts to answer the following question: If an average user had a working installation of DNSSEC on their machine, how useful would it be to them? What percentage of the services and sites the average user regularly accesses are DNSSEC-enabled? In other words, the experiment attempts to quantify the usefulness of DNSSEC to the average end user, given the current deployment of DNSSEC in the Internet.

The experiment does not track how many users or hosts use DNSSEC in the current Internet. It also does not track how many sites have configurations of DNSSEC that are not accessible by average users from the Internet.

The Domain Name System Security Extensions (DNSSEC) secure certain kinds of information provided by the Domain Name System (DNS).

The IETF statistics are based on a list of domain names that are derived from the email addresses of currently-active document authors of Internet Engineering Task Force (IETF) documents. This data set was included to investigate if the organizations that IETF authors come from are more progressive in deploying DNSSEC, compared to the rest of the Internet.

How are these numbers generated?

The scripts that update this page retrieve the names of the web sites that are most popular across the globe, as well as in select countries, from alexa.com in regular intervals. They then check whether the DNS entry for each site name reflects that it uses DNSSEC. The numbers above show the percentage of these top sites that are DNSSEC-enabled, as well as the absolute numbers.

Note that although the DNS entry for a site may indicate that DNSSEC is available, this does not necessarily mean that actually using DNSSEC with the site will succeed. I’ll eventually add code to verify that DNSSEC can be used with sites that claim to enable it.

How representative are these numbers?

They’re reasonably representative, but not perfect. One issue is that the sample sets are very small; alexa.com typically offers lists of 100 to 500 top sites for free, depending on the country. More importantly, though, the sample sets are derived from web site names, because that’s all alexa.com offers. It is not clear that checking DNSSEC deployment based on a set of web site names is resulting in numbers that represent deployment of DNSSEC in the broader Internet.

Attention, operators: I’m interested in basing these statistics on a more meaningful data set. If you can provide me with a regularly-updated list of most-frequently-looked-up DNS names – or, for SPF or DKIM, a list of the domains that generate the most inbound email – please contact me at please enable javascript to view . The larger your network and the longer the list, the better.

How have these numbers been changing over time?

Funny you should ask. The graphs below (click on each image to get a PDF that lets you zoom in) illustrate the weekly changes of DNSSEC deployment in the various sample sets since these measurements started in October 2007:

This graph shows the same data as the one above, but zooms in on the interesting area:

Significant jumps in the historic data (e.g., fall 2008 or spring 2009) are usually due to alexa.com changing what data they make available, or on tracking bugs having been fixed. The latter fixes are often based on suggestions of visitors to this page. See the acknowledgements below.

Download deployment trends as text: global cn de fi in jp kr uk us ietf

Acknowledgements and Changes

• The original idea for these statistics came out of discussions on an “IPv6 clock” in Joe Touch’s group of PhD students at USC/ISI around 1999 – we just never got around to implementing it.
• Thanks to Jari Arkko for the affiliation information of IETF authors, obtained from his author statistics .
• Miguel Garcia explained how to track SIP deployment.
• Marcus Isomäki suggested to track XMPP deployment.
• Jim Fenton pointed out a critical bug in my DKIM tracking code.
• Rickard Bondesson pointed out a critical bug in my DKIM tracking code in September 2008.
• Frank Ellermann suggested to track SPF deployment.
• Eric Vyncke suggested to check some subdomains commonly used for IPv6 in October 2008.
• RK suggested to follow SPF redirects in March 2009.
• In April 2009, alexa.com made 500 domain names per country available, which affected the results.
• Iljitsch van Beijnum pointed out a bug that affected the sort order of the detailed results in March 2010.
• Added more IPv6 subdomains in June 2010.