Deploy360 IPv6

New State of IPv6 Deployment Report

World IPv6 Launch LogoToday marks five years since World IPv6 Launch and today the Internet Society released a new landmark paper on the State of IPv6 Deployment 2017. Sometimes IPv6 deployment seems slow, but it really is moving along nicely and when we  stop to compare then and now we see huge improvements.

From Mat Ford’s blog post, the highlights of the paper include:

  • IPv6 has increased 3000% since the beginning of World IPv6 Launch five years ago.
  • Deployment is occurring around the globe: Measurements show 37 countries exceed 5% of traffic is IPv6 to major content providers.
  • Over 25% of the Alexa Top 1000 websites are reachable using IPv6.
  • Some networks are now IPv6-only internally (e.g. JPNE, T-Mobile USA, SoftBank), and some major networks are now majority-IPv6 (e.g. RelianceJIO, Verizon Wireless, SkyBroadcasting, XS4ALL).
  • Some organizations are in the process of turning off IPv4 within their networks and/or data centers to reduce network complexity and cost (e.g. T-Mobile, Facebook, LinkedIn).
  • The Internet Society’s core recommendations are to: (a) start now if you haven’t already, (b) use established RFP requirements like RIPE-554: Requirements for IPv6 in ICT Equipment, and (c) take advantage of existing IPv6 deployment information including the Internet Society’s Deploy360 Program.

There’s also already a ITWorld article on the paper including an interview with Fred Baker, Internet Society consultant and author, and Mat Ford, one of our colleagues:

We wish all of you a Happy Launchiversary! Where are you on your deployment transition journey? You can visit our main IPv6 Page for all the resources, or use the guided Start Here page to help you. Looking for something specific and can’t find it? Let us know!

Deploy360 IPv6

IPv6 in Mobile Networks in CircleID's Top 10 Topics of 2016

We are proud to see IPv6, World IPv6 Launch, and our colleague Mat Ford in CircleID’s Top 10 Posts of 2016. The article “IPv6 Now Dominant Protocol for Traffic Among Major US Mobile Providers” from August 2016 ranked #1 on the site with over 16,000 views.

As you can see in the graph above, IPv6 in mobile networks has come a long way, growing from about 37% to over 50% when that post was published in August 2016, to now 61.76% in January 2017.

It’s not just mobile operators that are continuing to make progress, though. The latest Google IPv6 Statistics show over 15% of *all* traffic to Google’s servers is now done over IPv6. If you think back to June 2012 when World IPv6 Launch happened, that number was closer to 1%.

Keep up the great work, network operators!

It’s exciting to see so much progress, but clearly there’s still a lot of work to be done. Interested in deploying IPv6 on your own network? We can help! Check out our “START HERE” section, or skip straight to the IPv6 section of the website and look around. If you don’t find what you need, talk to us! We may have it, or might be able to create it. We are here to help get these numbers even higher!

Deploy360 Domain Name System Security Extensions (DNSSEC)

Over 50% of .CZ domains now signed with DNSSEC!

CZ domain statisticsCongrats to the team at CZ.NIC and to Internet users within the Czech Republic – the number of .CZ domains signed with DNSSEC just passed over the 50% mark! It’s great to see so many businesses, organizations and individuals using .CZ domains now receiving the higher level of trust that comes with DNSSEC signatures.

CZ.NIC’s Ondrej Filip spread the news yesterday in a tweet:

This milestone fits well with other European country code top-level domains (ccTLDs) that also have significant signing of second-level domains, including: Norway’s .NO (58.2%), Sweden’s .SE (also 51.3%), the Netherland’s .NL (45%).

Congrats to Ondrej and the whole team at .CZ for achieving this milestone! Now on to the remaining 48.7%…  🙂

If you want the higher level of trust that comes with signing your domain with DNSSEC, please visit our “Start Here” page to find resources to help you begin!

Deploy360 IPv6

IPv6 usage hits 10%

IPv6 BadgeWell we didn’t quite get what we wanted for Christmas, but we got it for New Year instead! We’re therefore excited that our first post of the New Year is to highlight that the Google IPv6 stats hit 10% for the first time on New Year’s Eve.

The Deploy360 team has been speculating over the past weeks about when this milestone would be reached, and our colleague Phil Roberts has taken the opportunity to cover the occasion on the Tech Matters blog.

Of course, 10% still means there’s a long way to go to deploy IPv6 on the rest of the Internet, but given that IPv6 deployment stood at 5.82% at the same time last year, this represents a yearly increase of more than 70% in the number of users accessing Google with IPv6.

With IPv4 address pools being exhausted or becoming extremely depleted in four of the five RIR regions, now is the time to be implementing IPv6. The signs really are that more and more users are taking heed of the importance of doing this, so please do look at our Start Here page to see how you can get started with IPv6.

We’re also interested to hear from anyone who has implemented IPv6 and can share their experience as a case study, or who’d be willing to share other configuration and/or deployment information that others might find useful. If so, don’t hesitate to contact us.

Deploy360 IPv6

Akamai State of the Internet

Akamai-Logo-RGBAkamai recently published its third quarterly report for 2015 on ‘The State of the Internet‘. As a major content delivery network provider, Akamai is able to collate substantial amounts of data on many metrics including connection speeds, network availability, traffic patterns, and IPv6 adoption.

Whilst the number of unique IPv4 addresses connecting to Akamai continues to increase, there’s substantial evidence this trend is starting to level off as available IPv4 addresses become more scarce. Indeed, the statistics for IPv4 show small declines in some countries like the US, Germany and India which suggests implementation of IPv4 conservation measures such as Carrier Grade NAT, or increased IPv6 adoption.

Belgium remains the country with the highest percentage (34%) of content requests made over IPv6, despite a 8.4% quarterly drop. Switzerland, the United States, Peru and Germany follow with between 17 and 20% traffic, although with the exception of Peru, all saw a decrease from the previous quarter. On the upside, Greece and Estonia saw a sizeable increases in their IPv6 traffic with 37% and 20% respectively.

Cable and mobile providers continue to push IPv6, particularly in the US (Comcast Cable, AT&T, Verizon Wireless, T-Mobile and Time Warner Cable), Belgium (TELENET), Peru (Telefonica del Peru), Switzerland (Swisscom), Germany (Deutsche Telekom and Kabel Deutschland) and Portugal (Sapo). BT has also announced plans to IPv6 enable 100% of its UK network by the end of 2016.

Finally, the report notes that ARIN exhausted its pool of IPv4 addresses in July 2015 and was forced to wait list thirteen requests until it received additional address space from IANA and recovered addresses from other organisations. Whilst the other Regional Internet Registries do still have address space remaining, the substantial transfer activity during the quarter suggests that organisations are increasingly concerned about the availability of address and were taking action to ensure continuity of their business.

It’s clear that organisations really do now need to be actively deploying IPv6, so please take a look at our Start Here page to understand how you can get started transitioning your networks, devices and applications!

Deploy360 IPv6

Google Stats Now Showing Over 8% IPv6

A nice way to end a Friday afternoon… I happened to look at Google’s IPv6 statistics for the first time in a while and see that they’ve climbed up over 8%!

Google IPv6 statsWe’ve kind of stopped celebrating each individual percentage point because the reality is the graph just keeps on going up and to the right in the direction we want!

Still, this was a nice way to end the work week.  Looking forward to celebrating a bit more when they hit 10%!

P.S. As the graph shows, IPv6 at this point is on the trajectory where it is just going to happen … if you haven’t already started figuring out what to do, please do look at our Start Here page to understand how you can get started transitioning your networks, devices and applications to make sure they’re ready!

Deploy360 IPv6

Swisscom Doubles IPv6 Deployment – Verizon Wireless Hits 70% IPv6

Some great news for IPv6 advocates in the latest August 2015 World IPv6 Launch measurements. As our colleague Mat Ford writes, Swisscom doubled their deployment over the past few months to near 40%!

Swisscom IPv6 statistics

Meanwhile, Verizon Wireless continues its steady climb to where the sites measuring activity are now seeing 70% IPv6 deployment from Verizon’s network:

Verizon Wireless IPv6

It continues to be fun to watch this trend line grow up and to the right!

Many more statistics are available at the World IPv6 Launch measurements page. As Mat notes, Telekom Malaysia entered the top ten networks based on the methodology used (see the bottom of the page to learn more).  Congrats to the folks there in Malaysia for making this happen!

If you want to expand your IPv6 efforts, please visit our Start Here page to find resources to help!

And if you are a network operator with IPv6 deployed, why not sign up to join into the World IPv6 Launch measurements effort?  It’s free to you and it will help us continue to understand and measure the transition to IPv6!

Deploy360 IPv6

Verizon Wireless Nears 70% IPv6, AT&T Crosses 50%, More…

The latest World IPv6 Launch measurements are out for May 15 and as my colleague Mat Ford explains in a blog post, there’s a lot of great momentum happening! My attention was drawn to the fact that Verizon Wireless is at 69.1%… at their current rate they should cross over 70% by next month:

Verizon Wireless IPv6 measurements

As Mat noted, AT&T broke through the 50% IPv6 mark this month and has the kind of growth chart you love to see:


Looking at the May measurements, T-Mobile USA also continues their solid growth as do Comcast, Time Warner Cable and Telefonica del Peru.

Mat’s post also dives into some of the newer entrants such as Saudi Arabia’s Saudi Telecom Company.

All around great news to see!  IPv6 deployment is happening! 🙂

If you’ve started deploying IPv6 in your network, why not sign up to have your network counted in the measurements?  It’s free and you’ll help the global technical community gain more insight into the true status of IPv6 deployment.

And if you haven’t started with IPv6 yet, please do visit our Start Here page to find resources to get going!  The time is now!

Deploy360 Domain Name System Security Extensions (DNSSEC)

Another Great DNSSEC Statistics Site For Second-Level Domains –

Want to know how many domains are signed with DNSSEC under each top-level domain (TLD)?  We now have another site to help!  For over a year now, every week I use a great site that Rick Lamb maintains at:

so that I can find out what new domains I need to add to our DNSSEC Deployment Maps database. By default he shows a reverse-chronological list of all the TLDs that are signed.


… if you look over on the right side Rick has added something new!  Two new columns labeled “% Signed” and “Misc”.  These show you:

  • The percentage of total domains that are signed with DNSSEC;
  • The raw numbers of signed domains / total domains.

What’s very cool is that you can click on each heading to sort the columns. Click once to sort from lowest to highest. Click once more to sort from highest to lowest.

This second sort is where it gets interesting.

With the “% Signed” you have to scroll down a bit because of course brand new TLDs that only have one domain (often nic.TLD) and also have that domain signed score 100%.  But as you go down the list it starts to get more interesting.  Here’s a view part of the way down:

DNSSEC Statistics

What I find MUCH more interesting, though, is the raw numbers showing the number of DNSSEC-signed domains.  Click on the “Misc” heading cell twice and you get something like this:

DNSSEC stats

That shows us that .NL has the most with 2.4 million domains signed followed by .COM with 491 thousand domains and then .CZ, .SE and onwards.

What you will notice that is different here from the ntldstats DNSSEC stats site I wrote about last week is that Rick’s site pulls in data from some of the country-code TLDs (ccTLDs) and also some of the original generic TLDs (gTLDs) such as .COM, .NET, etc.    The ntldstats site is (understandably) only about the “new gTLDs” whereas Rick’s site covers the wider range of TLDs.

Notice that I said “some” of the ccTLDs and gTLDs.  Rick can only incorporate data from TLDs that provide some kind of feed he can use.  If you scroll on down the list you’ll see that there are TLDs there that have no numbers next to them:

DNSSEC stats

However, we know from NIC.BR’s statistics page that .BR has 747,000 domains signed with DNSSEC, which would move it into the second position above .COM in the listing.  Similarly .ORG has many signed domains, too.

Over time hopefully we can get these other TLDs to offer statistics feeds in a way that sites like Rick’s can consume them and help provide a more solid view of overall DNSSEC deployment.

Meanwhile, it’s fantastic that Rick has made these updates to his site and it is a great service to the larger Internet community that he maintains this info. (Thanks, Rick!)

I’m looking forward to seeing these numbers grow!

P.S. If you’d like to help these numbers grow, why not head over to our Start Here page and find out how can get started with signing your domains with DNSSEC?

Deploy360 Domain Name System Security Extensions (DNSSEC)

nTLDStats Adds DNSSEC Statistics for New Generic Top-Level Domains (newgTLDs)

Hooray! The folks over at nTLDstats have now added a new tab that lets you see which of the 100s of new generic top-level domains (newgTLDs) are seeing the most second-level domains signed with DNSSEC. You can see the stats at:

Here is a view of how it looks right now:

newgTLD DNSSEC stats

The site shows a number of interesting stats, including:

  • the percentage of newgTLDs with signed second-level domains in them (60.80% at the time I write this)
  • the number and percentage of signed zones as it relates to the overall number of registered domains within the newgTLDs
  • the number of zones (of those signed) that failed DNSSEC validation (indicating a configuration issue)
  • a trend line over time
  • the distribution of signed domains across the number of newgTLDs
  • breakdowns of signed domains by both newgTLD and also by registrar

While the overall number of signed domains today within the 5.2 million domains registered in the newgTLDs is a very small 0.95%, we now have a very easy way to see where DNSSEC signing is being actively used – and a way to measure which of the newgTLDs and also registrars are doing the most to support DNSSEC deployment.

I was intrigued to see that the leader of the newgTLDs is the .OVH TLD sponsored by a French hosting provider, OVH, with Afnic providing the back-end registry. According to their site, the OVH domain started as an April Fool’s joke in 2009 and then became a reality due to the interest.  Clicking through to their registrar site (they are apparently the only registrar for the .OVH domain), you can see why they have so many domains signed – they have a “Activate DNSSEC on this extension!” link directly on their registration page!

Looking at the Registrar Breakdown column, the OVH registrar leads in the number of DNSSEC-signed newgTLDs, presumably because they are again offering DNSSEC-signing to anyone who uses them for DNS hosting, regardless of what newgTLD they register under.

I was also curious as to why “.paris” was the second-highest newgTLD with 2,347 signed domains, but the probably answer could be quickly found by clicking through to the .paris page. It shows the top 2 registrars as “Gandi SAS” and “OVH sas”… my guess would be that many/most of the 2,347 signed domains could come from the 4,000 domains registered by OVH, given that they are actively promoting DNSSEC.

Another interesting element of this new page is that you can change the slider underneath the trend line to see more stats over time.  By moving the slider all the way to the left you can get a view of the trend in the newgTLDs:

dnssec signing trend chart

There’s a huge jump in October 2014.  Given the other stats and the information on the OVH web site, my guess would be that this was a result of the launch of the .OVH newgTLD.

Anyway… there’s probably a lot more we can learn from exploring the statistics in this way.  The key point is that now there is a very easy-to-use web interface that lets us track and be able to show which of the newgTLDs are doing the most to provide registrants the security provided by DNSSEC.  I’d note that this is all possible because all of the new gTLDs are required by ICANN to submit their zone files to the Centralized Zone Data Service (CZDS), allowing sites like nTLDstats to query the CZDS and build views such as these.

Kudos to the nTLDstats team for adding this page!  I will be adding it to our DNSSEC Statistics page and look forward to using it over time.

P.S. Want to get started with signing your domain?  Visit our Start Here page to learn how!

Deploy360 Domain Name System Security Extensions (DNSSEC)

Over 600 Top-Level Domains Now Signed With DNSSEC

As I was entering in data for the weekly DNSSEC Deployment Maps, I was struck by the fact that we are now at the point where 615 of the 793 top-level domains (TLDs) are now signed with DNSSEC. You can see this easily at Rick Lamb’s DNSSEC statistics site:

DNSSEC statistics

This represents 77% of all current TLDs!

Now, granted, most of that amazing growth in the chart is because all of the “new generic TLDs” (newgTLDs) are required to be signed with DNSSEC, but we are still seeing solid growth around the world.  If you look at the most recent DNSSEC Deployment Maps you can see that much of the world is being shown as “green” as more and more country-code Top Level Domains (ccTLDs) sign with DNSSEC:

ccTLD dnssec deployment map

Of course, having a TLD signed doesn’t mean that the second-level domains will be signed with DNSSEC. As various DNSSEC statistics sites will show, the percentage of signed second-level domains varies widely, from around 80% in .GOV down to tiny percentages in other TLDs.

BUT… the key point is that the first step in signing your domain is to be sure that your TLD is signed!

After the TLD has been signed, THEN steps can be taken to get more DNSSEC deployment happening underneath that TLD.  Look at how successful Norway has been with .NO after they recently signed the domain!

With some of the work that is happening via various DNSSEC Workshops,  ICANN’s DNSSEC training and other forums I know that we’ll see more and more of the TLDs being signed in the months ahead.  The excuse that “TLDs are not signed with DNSSEC” can no longer be used as an excuse for NOT working with DNSSEC and DANE!

Great to see!

P.S. If you want to get started with DNSSEC, please visit our Start Here page to find resources to help you begin.

Deploy360 Domain Name System Security Extensions (DNSSEC)

BT Releases Results of 2014 DNSSEC Survey

BT-Diamond-IP-2014-DNSSEC-SurveyBT Diamond IP just published the results of their 2014 DNSSEC survey and the report is available for all to download for free.  Back in October, I’d encouraged people to take the survey to help gain an understanding of DNSSEC deployment and BT’s Tim Rooney noted in his post about the survey that this year there was a high amount of participation by people who had already deployed DNSSEC:

Clearly this year’s survey attracted active deployers of DNSSEC, which contrasts sharply with the 2012 survey where less than 25 percent of respondents had already deployed or were actively deploying DNSSEC validation and signing.

In fact, the way I read his tables on page 4 over 60% of respondents had deployed DNSSEC and another 10% were in the process of doing so.  Not exactly representative of the overall industry! (Unfortunately)  Still, though, I think the report provides useful insight into DNSSEC deployment from the point of view of people who have deployed the technology.  (By the way, we did write about the 2012 report back when it came out.)

Tim also relays these highlights of the 2014 report:

  • Nearly all respondents agreed with the statement that DNSSEC can or does provide value to their organization and over 85 percent likewise agreed that DNSSEC technology is mature and can be reliably deployed.
  • Forty-seven percent of respondents agreed that deploying and maintaining DNSSEC is very complex, 12 of the 47 percent strongly. Only 22 percent disagreed. This is rather telling in that DNSSEC is not only considered complex to the uninitiated, but that experience shows this to be the case.
  • Nearly half of respondents disagreed with the statement that only external (Internet-facing) zones need be signed, while 28 percent agreed with the statement. This majority position debunks the theory that internal name spaces are of little concern when it comes to DNSSEC.
  • Only 20 percent of respondents agreed that dedicated hardware security module (HSM) appliances or cards are required to store private keys.
  • Over 75 percent of respondents assign their DNS groups as responsible for DNSSEC implementation and management, sometimes alone or often in conjunction with other groups. It’s interesting to note that about 25 percent of respondents do not involve the DNS group in the process!
  • As an industry, simplifying the deployment process to reduce complexity and therefore costs to some degree could help spur further DNSSEC deployments.

I’ll definitely agree with his last point about reducing complexity and that’s something that I know we and others within the industry continue to champion … any way that we can add more automation or make the user experience simpler will go far to help advance DNSSEC deployment.

I found a number of the other charts quite interesting such as the reasons for NOT deploying DNSSEC as well as those about what software was being used.  All in all I think the report is a useful contribution to the ongoing discussions around DNSSEC.  I’d like to see more of these type of surveys so that we can continue to build out a picture of DNSSEC deployment as well as the challenges that need to be addressed.

Thanks to Tim Rooney and the others at BT Diamond IP for compiling this survey!