DNSSEC has become mainstream

This year’s December 5 made it into the history of Czech Internet security by crossing a significant threshold. From this date, in the registry of .cz domains there are more domains with DNSSEC security than those which lack this protocol extension. Information provided by DNS systems of more than 51% (653,297) of .cz domains can now be authenticated to ensure that it was not spoofed on the way to the user.

As can be seen from the following chart, DNSSEC support for .cz domain has grown continuously since its introduction to the registry in 2008. Nine years later, we can finally declare that the majority of .cz domains is secured and that it is more common to have DNSSEC on a domain than not to have one.

The credit for achieving this milestone goes to all the registrars who have gradually implemented the DNSSEC support since 2008. As of December 5, 2016, at least one .cz domain secured with DNSSEC was registered by 38 registrars, 15 of which had more than 1,000 such domains. Nine registrars in total, mostly large ones, hold the national standard by having signed more than 50% of their customers’ domains. The specific numbers of DNSSEC-secured domains are shown in the following chart presenting the 15 largest contributors to the conquest of the 50% threshold. Thanks to all who have been working on it!


dnssec_cz_domain_support_registrarsIs should be also mentioned that the .cz domain stands comparison with other domain extensions; it holds top positions. More secured domains in the absolute number can be found only in the Netherlands (.nl), Brazil (.br) and Sweden (.se). In this ranking, the .cz domain outweighs even the much more widespread .com domain. Signed domains compise the majority in the .no and the .cz domains, followed by the Swedish domain .se, which is coming close to the 50% share of secured domains. A more detailed comparison is in the following table.


However, it doesn’t end with the achievement of the 50% share of domains signed with DNSSEC. We assume that the registrars who have implemented DNSSEC support in recent weeks, will improve the total numbers even more. Together with registrars and Internet service providers, we are also working on the introduction of new encryption algorithms (ECDSA support), which are used by DNSSEC. But I’ll write a separate article on this topic. Now I will allow myself an appeal towards the administrators of recursive DNS servers, which are usually internet service providers: “Increase the DNSSEC support on your servers, most of the .cz domains are secured with this technology, while about 2/3 of the resolvers are still unable to handle it!”


Leave a comment