Deploy360 29 April 2015

nTLDStats Adds DNSSEC Statistics for New Generic Top-Level Domains (newgTLDs)

By Dan YorkDirector, Internet Technology

Hooray! The folks over at nTLDstats have now added a new tab that lets you see which of the 100s of new generic top-level domains (newgTLDs) are seeing the most second-level domains signed with DNSSEC. You can see the stats at:

The site shows a number of interesting stats, including:

  • the percentage of newgTLDs with signed second-level domains in them (60.80% at the time I write this)
  • the number and percentage of signed zones as it relates to the overall number of registered domains within the newgTLDs
  • the number of zones (of those signed) that failed DNSSEC validation (indicating a configuration issue)
  • a trend line over time
  • the distribution of signed domains across the number of newgTLDs
  • breakdowns of signed domains by both newgTLD and also by registrar

While the overall number of signed domains today within the 5.2 million domains registered in the newgTLDs is a very small 0.95%, we now have a very easy way to see where DNSSEC signing is being actively used – and a way to measure which of the newgTLDs and also registrars are doing the most to support DNSSEC deployment.

I was intrigued to see that the leader of the newgTLDs is the .OVH TLD sponsored by a French hosting provider, OVH, with Afnic providing the back-end registry. According to their site, the OVH domain started as an April Fool’s joke in 2009 and then became a reality due to the interest.  Clicking through to their registrar site (they are apparently the only registrar for the .OVH domain), you can see why they have so many domains signed – they have a “Activate DNSSEC on this extension!” link directly on their registration page!

Looking at the Registrar Breakdown column, the OVH registrar leads in the number of DNSSEC-signed newgTLDs, presumably because they are again offering DNSSEC-signing to anyone who uses them for DNS hosting, regardless of what newgTLD they register under.

I was also curious as to why “.paris” was the second-highest newgTLD with 2,347 signed domains, but the probably answer could be quickly found by clicking through to the .paris page. It shows the top 2 registrars as “Gandi SAS” and “OVH sas”… my guess would be that many/most of the 2,347 signed domains could come from the 4,000 domains registered by OVH, given that they are actively promoting DNSSEC.

Another interesting element of this new page is that you can change the slider underneath the trend line to see more stats over time.  By moving the slider all the way to the left you can get a view of the trend in the newgTLDs.

There’s a huge jump in October 2014.  Given the other stats and the information on the OVH web site, my guess would be that this was a result of the launch of the .OVH newgTLD.

Anyway… there’s probably a lot more we can learn from exploring the statistics in this way.  The key point is that now there is a very easy-to-use web interface that lets us track and be able to show which of the newgTLDs are doing the most to provide registrants the security provided by DNSSEC.  I’d note that this is all possible because all of the new gTLDs are required by ICANN to submit their zone files to the Centralized Zone Data Service (CZDS), allowing sites like nTLDstats to query the CZDS and build views such as these.

Kudos to the nTLDstats team for adding this page!  I will be adding it to our DNSSEC Statistics page and look forward to using it over time.

P.S. Want to get started with signing your domain?  Visit our Start Here page to learn how!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...