Lars»Eggert

Please Note

This page looks much better in a browser that supports current web standards, but it is accessible to any browser or Internet device in the plain format you are currently seeing. Please consider updating your browser.

What do these numbers mean?

This experiment attempts to answer the following question: If an average user had a working installation of DNSSEC on their machine, how useful would it be to them? What percentage of the services and sites the average user regularly accesses are DNSSEC-enabled? In other words, the experiment attempts to quantify the usefulness of DNSSEC to the average end user, given the current deployment of DNSSEC in the Internet.

The experiment does not track how many users or hosts use DNSSEC in the current Internet. It also does not track how many sites have configurations of DNSSEC that are not accessible by average users from the Internet.

The Domain Name System Security Extensions (DNSSEC) secure certain kinds of information provided by the Domain Name System (DNS).

The IETF statistics are based on a list of domain names that are derived from the email addresses of currently-active document authors of Internet Engineering Task Force (IETF) documents. This data set was included to investigate if the organizations that IETF authors come from are more progressive in deploying DNSSEC, compared to the rest of the Internet.

How are these numbers generated?

The scripts that update this page retrieve the names of the web sites that are most popular across the globe, as well as in select countries, from alexa.com in regular intervals. They then check whether the DNS entry for each site name reflects that it uses DNSSEC. The numbers above show the percentage of these top sites that are DNSSEC-enabled, as well as the absolute numbers.

Note that although the DNS entry for a site may indicate that DNSSEC is available, this does not neccessarily mean that actually using DNSSEC with the site will succeed. I'll eventually add code to verify that DNSSEC can be used with sites that claim to enable it.

How representative are these numbers?

They're reasonably representative, but not perfect. One issue is that the sample sets are very small; Alexa typically offers lists of 100 to 500 top sites for free, depending on the country. More importantly, though, the sample sets are derived from web site names, because that's all Alexa offers. It is not clear that checking DNSSEC deployment based on a set of web site names is resulting in numbers that represent deployment of DNSSEC in the broader Internet.

Attention, operators: I'm interested in basing these statistics on a more meaningful data set. If you can provide me with a regularly-updated list of most-frequently-looked-up DNS names – or, for SPF or DKIM, a list of the domains that generate the most inbound email – please contact me. The larger your network and the longer the list, the better.

How have these numbers been changing over time?

Funny you should ask. The graphs below illustrate the weekly changes of DNSSEC deployment in the various sample sets since these measurements started in October 2007:

This graph shows the same data as the one above, but zooms in on the interesting area:

Download deployment trends as text: global cn de fi in jp kr uk us ietf

Acknowledgements

The original idea for these statistics came out of discussions on an "IPv6 clock" in Joe Touch's group of PhD students at USC/ISI around 1999 – we just never got around to implementing it.

Thanks to Jari Arkko for the affiliation information of IETF authors, obtained from his author statistics. Miguel Garcia explained how to track SIP deployment. Marcus Isomäki suggested to track XMPP deployment. Jim Fenton pointed out a critical bug in my DKIM tracking code. Frank Ellermann suggested to track SPF deployment.