As I was entering in data for the weekly DNSSEC Deployment Maps, I was struck by the fact that we are now at the point where 615 of the 793 top-level domains (TLDs) are now signed with DNSSEC. You can see this easily at Rick Lamb’s DNSSEC statistics site:
This represents 77% of all current TLDs!
Now, granted, most of that amazing growth in the chart is because all of the “new generic TLDs” (newgTLDs) are required to be signed with DNSSEC, but we are still seeing solid growth around the world. If you look at the most recent DNSSEC Deployment Maps you can see that much of the world is being shown as “green” as more and more country-code Top Level Domains (ccTLDs) sign with DNSSEC:
Of course, having a TLD signed doesn’t mean that the second-level domains will be signed with DNSSEC. As various DNSSEC statistics sites will show, the percentage of signed second-level domains varies widely, from around 80% in .GOV down to tiny percentages in other TLDs.
BUT… the key point is that the first step in signing your domain is to be sure that your TLD is signed!
After the TLD has been signed, THEN steps can be taken to get more DNSSEC deployment happening underneath that TLD. Look at how successful Norway has been with .NO after they recently signed the domain!
With some of the work that is happening via various DNSSEC Workshops, ICANN’s DNSSEC training and other forums I know that we’ll see more and more of the TLDs being signed in the months ahead. The excuse that “TLDs are not signed with DNSSEC” can no longer be used as an excuse for NOT working with DNSSEC and DANE!
Great to see!
P.S. If you want to get started with DNSSEC, please visit our Start Here page to find resources to help you begin.