DNSSEC deployment across the ccTLDs
While I am spending time on APNIC’s security workshop here at APNIC 46, I got curious about DNSSEC deployment across ccTLDs.
For those who may be unaware, DNSSEC adds signature the DNS responses making it possible to cryptographically verify a DNS query response.
Out of 254 ccTLDs, 125 support DNSSEC with a published DS record (at least that is what I get when I check their zone) and 129 do not support it as yet. So, for now, it is at 49.21%.
ccTLD | Status |
ac | TRUE |
ad | TRUE |
ae | FALSE |
af | TRUE |
ag | TRUE |
ai | FALSE |
al | FALSE |
am | TRUE |
an | FALSE |
ao | FALSE |
aq | FALSE |
ar | TRUE |
as | FALSE |
at | TRUE |
au | TRUE |
aw | TRUE |
ax | TRUE |
az | TRUE |
ba | FALSE |
bb | FALSE |
bd | FALSE |
be | TRUE |
bf | FALSE |
bg | TRUE |
bh | FALSE |
bi | FALSE |
bj | FALSE |
bl | FALSE |
bm | TRUE |
bn | FALSE |
bo | FALSE |
bq | FALSE |
br | TRUE |
bs | FALSE |
bt | TRUE |
bv | FALSE |
bw | TRUE |
by | TRUE |
bz | TRUE |
ca | TRUE |
cc | TRUE |
cd | FALSE |
cf | FALSE |
cg | FALSE |
ch | TRUE |
ci | FALSE |
ck | FALSE |
cl | TRUE |
cm | FALSE |
cn | TRUE |
co | TRUE |
cr | TRUE |
cu | FALSE |
cv | FALSE |
cw | FALSE |
cx | TRUE |
cy | FALSE |
cz | TRUE |
de | TRUE |
dj | FALSE |
dk | TRUE |
dm | FALSE |
do | FALSE |
dz | FALSE |
ec | FALSE |
ee | TRUE |
eg | FALSE |
eh | FALSE |
er | FALSE |
es | TRUE |
et | FALSE |
eu | TRUE |
fi | TRUE |
fj | FALSE |
fk | FALSE |
fm | FALSE |
fo | TRUE |
fr | TRUE |
ga | FALSE |
gb | FALSE |
gd | TRUE |
ge | FALSE |
gf | FALSE |
gg | FALSE |
gh | FALSE |
gi | TRUE |
gl | TRUE |
gm | FALSE |
gn | TRUE |
gp | FALSE |
gq | FALSE |
gr | TRUE |
gs | TRUE |
gt | FALSE |
gu | FALSE |
gw | TRUE |
gy | FALSE |
hk | TRUE |
hm | FALSE |
hn | TRUE |
hr | TRUE |
ht | FALSE |
hu | TRUE |
id | TRUE |
ie | TRUE |
il | TRUE |
im | FALSE |
in | TRUE |
io | TRUE |
iq | FALSE |
ir | FALSE |
is | TRUE |
it | TRUE |
je | FALSE |
jm | FALSE |
jo | FALSE |
jp | TRUE |
ke | TRUE |
kg | TRUE |
kh | FALSE |
ki | TRUE |
km | FALSE |
kn | FALSE |
kp | FALSE |
kr | TRUE |
kw | FALSE |
ky | TRUE |
kz | FALSE |
la | TRUE |
lb | TRUE |
lc | TRUE |
li | TRUE |
lk | TRUE |
lr | TRUE |
ls | FALSE |
lt | TRUE |
lu | TRUE |
lv | TRUE |
ly | FALSE |
ma | TRUE |
mc | FALSE |
md | FALSE |
me | TRUE |
mf | FALSE |
mg | TRUE |
mh | FALSE |
mk | FALSE |
ml | FALSE |
mm | TRUE |
mn | TRUE |
mo | FALSE |
mp | FALSE |
mq | FALSE |
mr | FALSE |
ms | FALSE |
mt | FALSE |
mu | FALSE |
mv | FALSE |
mw | FALSE |
mx | TRUE |
my | TRUE |
mz | FALSE |
na | TRUE |
nc | TRUE |
ne | FALSE |
nf | TRUE |
ng | FALSE |
ni | FALSE |
nl | TRUE |
no | TRUE |
np | FALSE |
nr | FALSE |
nu | TRUE |
nz | TRUE |
om | FALSE |
pa | FALSE |
pe | TRUE |
pf | FALSE |
pg | FALSE |
ph | FALSE |
pk | FALSE |
pl | TRUE |
pm | TRUE |
pn | FALSE |
pr | TRUE |
ps | FALSE |
pt | TRUE |
pw | TRUE |
py | FALSE |
qa | FALSE |
re | TRUE |
ro | TRUE |
rs | FALSE |
ru | TRUE |
rw | FALSE |
sa | TRUE |
sb | TRUE |
sc | TRUE |
sd | FALSE |
se | TRUE |
sg | TRUE |
sh | TRUE |
si | TRUE |
sj | TRUE |
sk | FALSE |
sl | FALSE |
sm | FALSE |
sn | TRUE |
so | FALSE |
sr | FALSE |
ss | FALSE |
st | FALSE |
su | TRUE |
sv | FALSE |
sx | TRUE |
sy | FALSE |
sz | FALSE |
tc | FALSE |
td | FALSE |
tf | TRUE |
tg | FALSE |
th | TRUE |
tj | FALSE |
tk | FALSE |
tl | TRUE |
tm | TRUE |
tn | TRUE |
to | FALSE |
tp | FALSE |
tr | FALSE |
tt | TRUE |
tv | TRUE |
tw | TRUE |
tz | TRUE |
ua | TRUE |
ug | TRUE |
uk | TRUE |
um | FALSE |
us | TRUE |
uy | TRUE |
uz | FALSE |
FALSE | |
vc | TRUE |
ve | FALSE |
vg | FALSE |
vi | FALSE |
vn | TRUE |
vu | TRUE |
wf | TRUE |
ws | TRUE |
yt | TRUE |
za | TRUE |
zm | TRUE |
zw | FALSE |
About all TLDs in the root zone
There are 1540 TLDs right now in the root zone out of which 145 do not support DNSSEC as yet (129 of that is ccTLD alone). 1396 do have DS record at the DNS zone in TLD level. I have published the full list here.
Note: Full DNSSEC support is more than just DS record in the zone.