07 Sep

DNSSEC deployment across the ccTLDs

While I am spending time on APNIC’s security workshop here at APNIC 46, I got curious about DNSSEC deployment across ccTLDs. 

For those who may be unaware, DNSSEC adds signature the DNS responses making it possible to cryptographically verify a DNS query response. 

Out of 254 ccTLDs, 125 support DNSSEC with a published DS record (at least that is what I get when I check their zone) and 129 do not support it as yet. So, for now, it is at 49.21%. 

ccTLDStatus
acTRUE
adTRUE
aeFALSE
afTRUE
agTRUE
aiFALSE
alFALSE
amTRUE
anFALSE
aoFALSE
aqFALSE
arTRUE
asFALSE
atTRUE
auTRUE
awTRUE
axTRUE
azTRUE
baFALSE
bbFALSE
bdFALSE
beTRUE
bfFALSE
bgTRUE
bhFALSE
biFALSE
bjFALSE
blFALSE
bmTRUE
bnFALSE
boFALSE
bqFALSE
brTRUE
bsFALSE
btTRUE
bvFALSE
bwTRUE
byTRUE
bzTRUE
caTRUE
ccTRUE
cdFALSE
cfFALSE
cgFALSE
chTRUE
ciFALSE
ckFALSE
clTRUE
cmFALSE
cnTRUE
coTRUE
crTRUE
cuFALSE
cvFALSE
cwFALSE
cxTRUE
cyFALSE
czTRUE
deTRUE
djFALSE
dkTRUE
dmFALSE
doFALSE
dzFALSE
ecFALSE
eeTRUE
egFALSE
ehFALSE
erFALSE
esTRUE
etFALSE
euTRUE
fiTRUE
fjFALSE
fkFALSE
fmFALSE
foTRUE
frTRUE
gaFALSE
gbFALSE
gdTRUE
geFALSE
gfFALSE
ggFALSE
ghFALSE
giTRUE
glTRUE
gmFALSE
gnTRUE
gpFALSE
gqFALSE
grTRUE
gsTRUE
gtFALSE
guFALSE
gwTRUE
gyFALSE
hkTRUE
hmFALSE
hnTRUE
hrTRUE
htFALSE
huTRUE
idTRUE
ieTRUE
ilTRUE
imFALSE
inTRUE
ioTRUE
iqFALSE
irFALSE
isTRUE
itTRUE
jeFALSE
jmFALSE
joFALSE
jpTRUE
keTRUE
kgTRUE
khFALSE
kiTRUE
kmFALSE
knFALSE
kpFALSE
krTRUE
kwFALSE
kyTRUE
kzFALSE
laTRUE
lbTRUE
lcTRUE
liTRUE
lkTRUE
lrTRUE
lsFALSE
ltTRUE
luTRUE
lvTRUE
lyFALSE
maTRUE
mcFALSE
mdFALSE
meTRUE
mfFALSE
mgTRUE
mhFALSE
mkFALSE
mlFALSE
mmTRUE
mnTRUE
moFALSE
mpFALSE
mqFALSE
mrFALSE
msFALSE
mtFALSE
muFALSE
mvFALSE
mwFALSE
mxTRUE
myTRUE
mzFALSE
naTRUE
ncTRUE
neFALSE
nfTRUE
ngFALSE
niFALSE
nlTRUE
noTRUE
npFALSE
nrFALSE
nuTRUE
nzTRUE
omFALSE
paFALSE
peTRUE
pfFALSE
pgFALSE
phFALSE
pkFALSE
plTRUE
pmTRUE
pnFALSE
prTRUE
psFALSE
ptTRUE
pwTRUE
pyFALSE
qaFALSE
reTRUE
roTRUE
rsFALSE
ruTRUE
rwFALSE
saTRUE
sbTRUE
scTRUE
sdFALSE
seTRUE
sgTRUE
shTRUE
siTRUE
sjTRUE
skFALSE
slFALSE
smFALSE
snTRUE
soFALSE
srFALSE
ssFALSE
stFALSE
suTRUE
svFALSE
sxTRUE
syFALSE
szFALSE
tcFALSE
tdFALSE
tfTRUE
tgFALSE
thTRUE
tjFALSE
tkFALSE
tlTRUE
tmTRUE
tnTRUE
toFALSE
tpFALSE
trFALSE
ttTRUE
tvTRUE
twTRUE
tzTRUE
uaTRUE
ugTRUE
ukTRUE
umFALSE
usTRUE
uyTRUE
uzFALSE
vaFALSE
vcTRUE
veFALSE
vgFALSE
viFALSE
vnTRUE
vuTRUE
wfTRUE
wsTRUE
ytTRUE
zaTRUE
zmTRUE
zwFALSE





About all TLDs in the root zone

There are 1540 TLDs right now in the root zone out of which 145 do not support DNSSEC as yet (129 of that is ccTLD alone). 1396 do have DS record at the DNS zone in TLD level. I have published the full list here.

Note: Full DNSSEC support is more than just DS record in the zone.