Deploy360 Domain Name System Security Extensions (DNSSEC)

Madagascar Signs .MG With DNSSEC As Part Of “Internet Day”

Madagascar DNSSEC

Last week the island country of Madagascar became the latest country-code top-level domain (ccTLD) to sign their .MG domain with DNSSEC.  As we note in the steps for signing a domain, having a signed TLD is critical so that your domain can tie into the global “chain of trust” that provides the added security of DNSSEC.

Now that this step has been completed, the next steps will involve the registrars and DNS hosting providers for .MG domains making DNSSEC signing accessible to .MG domain registrants.

I’ll note that the DNSSEC signing of .MG was part of a broader set of activities that took place on March 17, 2016, as part of “Internet Day 2016” withing Madagascar.  My colleague Michuki Mwangi was there and wrote about the activities that also included the launch of an Internet exchange point (IXP).  Judging by his photos, it looks like an interesting event!

We congratulate the .MG team for the signing!  It’s great to see the Africa part of our DNSSEC Deployment Maps get a bit more green – and we look forward to seeing even more ccTLDs sign their domains.

If you are interested in gaining the added level of trust in your domain that comes with DNSSEC, please visit our Start Here page to begin!

P.S. Madagascar will start appearing in our weekly DNSSEC deployment maps as green beginning next Monday, March 28, 2016.

Deploy360 Domain Name System Security Extensions (DNSSEC)

Azerbaijan (.AZ) Becomes Latest ccTLD To Sign With DNSSEC

Azerbaijan signs .AZ with DNSSEC

Earlier this month Azerbaijan’s .AZ became the latest country-code top-level domain (ccTLD) to sign the domain with DNSSEC and complete the first step in allowing all domains underneath .AZ to obtain the higher level of security possible with DNSSEC.    This is, of course, just the first step.  As we outline in our tutorial, the next steps are that registrars and DNS hosting providers for .AZ need to now support the DNSSEC-signing of domains.  But it’s a good step to see!

We saw this signing come through on Rick Lamb’s DNSSEC Deployment Report and could easily verify it on the command-line using the command “dig dnskey az.” which shows the relevant DNSKEY records. (As well as “dig ds az.” that shows the existence of the DS record.)

A great step forward for Azerbaijan – and we look forward to seeing even more of the countries on our DNSSEC Deployment Maps filled in with green over the months ahead!

If you want to get started with DNSSEC, please visit our Start Here page to begin!

Deploy360 Domain Name System Security Extensions (DNSSEC)

Congratulations to Uruguay on signing .UY with DNSSEC!

map of South America

Last week Uruguay became the latest country to sign their country-code top-level domain (ccTLD) with DNSSEC!  With that change, the DNSSEC deployment map for the Latin American region gets just that much greener.  And now, everyone using a .UY domain will potentially be able to benefit from the increased security and trust provided by DNSSEC – and also to make use of newer innovations such as DANE.  I say “potentially” only because having the TLD signed is just the first step in the process of signing your domain – you still need your domain name registrar and your DNS hosting provider (which might be your registrar) to support DNSSEC.  However, this is a great step forward for Uruguay and shows the continued deployment of DNSSEC around the world.

Congrats to the team at Servicio Central de Informatica (SECIU) who made this happen!

If you would like to learn about how you can secure your domain with DNSSEC (whether you are in Uruguay or anywhere else in the world), please visit our Start Here page to begin…

Deploy360 Domain Name System Security Extensions (DNSSEC)

New DNSSEC Deployment Map Available In Global Internet Maps

Our DNSSEC Deployment Maps are now also available as part of a larger set of Global Internet Maps produced as part of our annual Global Internet Report.  My colleague Michael Kende wrote about these new maps earlier this month and explained a bit about them. This new DNSSEC deployment map is rather fun in that it is interactive and you can zoom around and hover over any country to see what stage the country code top-level domain (ccTLD) is at.  This map is based off of the 5 stages of DNSSEC deployment that we track as part of the weekly DNSSEC deployment maps we generate. (Click/tap the image to go to the site.)

DNSSEC maps in Global Internet Report

One note of caution – these Global Internet Maps are only updated periodically and so that DNSSEC deployment map will not necessarily be as up-to-date with ccTLDs as the weekly DNSSEC Deployment Maps.  The best place to get the most current maps is the archive of the dnssec-maps mailing list.  New maps get generated every Monday morning.

However, the Global Internet Map is current now (March 2015) with regard to ccTLDs – and it’s a very nice view of where we need to have more ccTLDs signed with DNSSEC.  Please do enjoy using it – while you are there, please do explore all the other maps that are made available.  These kind of visualizations are great to see!

Building Trust Technology

Netradar data enriches Global Internet Report

The latest release of maps visualising different aspects of the Internet as part of our Global Internet Report now includes the fruits of our collaboration with Netradar.

You can now explore the differences in mobile network upload and download bandwidth, as well as latency for many countries around the world. The data presented is based on user-contributed measurements of 3G and LTE networks using the Netradar measurement application. Some of the measurement results are striking. Finland comes out on top of the six countries with maximum recorded download speeds in excess of 100Mbps, with a staggering 227Mbps. Average download speeds are also impressive in some cases with 11 countries exceeding 10Mbps and Denmark averaging over 22Mbps.

The free app, part of the Netradar Project led by Professor Jukka Manner, provides neutral and accurate information about the quality and diversity (in terms of bandwidth and latency) of Internet connections and mobile devices everywhere. It does this by measuring and displaying the data submitted anonymously by anyone who runs the application.

This kind of data helps form a more detailed picture of worldwide network quality, so we can better understand the scope and impact of network changes, and ultimately help to ensure the Internet’s sustainability and reliability for future generations.

Smartphone users around the globe can download the app (available for Android, iPhone, Windows Phone, Symbian, Meego, Maemo, Jolla and Blackberry platforms), contribute their measurements and see their results at (No personal information is gathered by the system, and no account or login is necessary. Optional use of a third-party login enables users to track their measurement history.)

Help us build a global picture of Internet diversity and evolution!

Growing the Internet Internet Governance

If a picture is worth a thousand words, what about a map?

Based on the positive response to the online maps we released last year, they tell a story. All of us understand the digital divide, but here we can see it in the differences between regions, and we can puzzle why some countries stand out within a region. To help find answers, we can see how affordability of Internet access differs and can help to explain adoption levels. What about the speed of broadband? Is the speed in our country really so slow compared to our neighbours, or is it better than we thought? And why is the Internet more or less resilient?

These were among the topics covered in last year’s Global Internet Report, and we have just updated those maps. We also went further, and added maps on Internet resources (IPv4 allocations, ccTLD usage) and the stage of DNSSEC deployment across countries. We also started to address content, looking at Wikipedia edits across countries, as well as limits on content in different countries.

Enjoy the maps - you can embed them in your own pages, and help us to share the further. Please also let us know if there are other public data sources we could use to create more maps, so that we can add more chapters to the living story of how the Internet is spreading everywhere, for everyone.

Picture © Aram Bartholl 2014 by-nc-sa 3.0

Deploy360 Domain Name System Security Extensions (DNSSEC) Events

Middle East DNS Forum Covers DNSSEC – Let's Fill In The Map!

Over in Amman, Jordon, today our Internet Society colleague Frédéric Donck gave a keynote address at the Middle East DNS Forum where I know he was planning to speak about DNSSEC and our interest in advancing the deployment so that together we can make the Internet more secure via a more secure DNS infrastructure. (His talk was also going to cover Internet governance and infrastructure development topics.)  The folks at the Middle East DNS Forum were kind enough to tweet out a photo of Frédéric in action:

Middle East DNS Forum

In preparation for his presentation at the meeting, I provided Frédéric with a snapshot of our weekly DNSSEC Deployment Maps for the Middle East region (the colors represent the 5 stages of DNSSEC deployment):


As you can see, there’s definitely room to have more of the country-code top-level domains (ccTLDs) signed in the region.  From what the database shows, I have this information:

  • Lebanon has signed .LB and the DS record is in the root of DNS.
  • Afghanistan has signed .AF and the DS record is in the root of DNS.
  • Turkey (.TR) is “Announced” because a representative of the registry contacted me with their plans ( and they publicly announced their plans at the ICANN Turkey DNS Forum in November 2014).
  • Israel is in the “Announced” state because a representative of the .IL registry contacted me with their plans.
  • Iraq (.IQ) and Iran (.IR) are in “Experimental” because activity was observed a few years back.

For Lebanon and Afghanistan, they could be in the “Operational” stage and be accepting DS records from domain registrants.  We just don’t know because we have no way to find out unless either: 1) someone from the registry tells us (and I haven’t yet tried to contact these ccTLDs to know); or 2) someone who has registered a domain in those ccTLDs lets us know.

Although the agenda of the Middle East DNS Forum is mostly not about technical topics, I do hope Frédéric’s discussion will ignite some interest and we can start seeing the Middle East region joining the rest of the world in providing a way to secure the integrity of DNS information within the ccTLDs.

In fact, if you are visiting our site as a result of that Forum, please do visit our Start Here page to find out how you can begin with DNSSEC – or please contact us so that we can help you find the appropriate resources.

Let’s fill in that map and get the whole region to be green!

P.S. If anyone has more information about the DNSSEC deployment status of ccTLDs in that region, please do let me know – I’d be glad to update the maps.

Deploy360 Domain Name System Security Extensions (DNSSEC)

Over 600 Top-Level Domains Now Signed With DNSSEC

As I was entering in data for the weekly DNSSEC Deployment Maps, I was struck by the fact that we are now at the point where 615 of the 793 top-level domains (TLDs) are now signed with DNSSEC. You can see this easily at Rick Lamb’s DNSSEC statistics site:

DNSSEC statistics

This represents 77% of all current TLDs!

Now, granted, most of that amazing growth in the chart is because all of the “new generic TLDs” (newgTLDs) are required to be signed with DNSSEC, but we are still seeing solid growth around the world.  If you look at the most recent DNSSEC Deployment Maps you can see that much of the world is being shown as “green” as more and more country-code Top Level Domains (ccTLDs) sign with DNSSEC:

ccTLD dnssec deployment map

Of course, having a TLD signed doesn’t mean that the second-level domains will be signed with DNSSEC. As various DNSSEC statistics sites will show, the percentage of signed second-level domains varies widely, from around 80% in .GOV down to tiny percentages in other TLDs.

BUT… the key point is that the first step in signing your domain is to be sure that your TLD is signed!

After the TLD has been signed, THEN steps can be taken to get more DNSSEC deployment happening underneath that TLD.  Look at how successful Norway has been with .NO after they recently signed the domain!

With some of the work that is happening via various DNSSEC Workshops,  ICANN’s DNSSEC training and other forums I know that we’ll see more and more of the TLDs being signed in the months ahead.  The excuse that “TLDs are not signed with DNSSEC” can no longer be used as an excuse for NOT working with DNSSEC and DANE!

Great to see!

P.S. If you want to get started with DNSSEC, please visit our Start Here page to find resources to help you begin.

Deploy360 Domain Name System Security Extensions (DNSSEC)

Indonesia And Vanuatu Sign .ID and .VU With DNSSEC

Asia PacificWe were very pleased to learn this morning that both Indonesia’s .ID and Vanuatu’s .VU country-code top-level domains (ccTLDs) had DS records uploaded to the root zone of DNS over the weekend.  What this means is that they have both entered the fourth of five deployment stages that we track as part of the DNSSEC Deployment Maps.

At some point soon, people who have registered domains under .ID and .VU should be able to upload their own DNSSEC records and be able to obtain the higher level of security and trust that comes with having their domain signed with DNSSEC.  We don’t yet know when the registries for .ID and .VU will start accepting DS records from registrants, but hopefully at some point soon.

Given that the records were entered into the root zone of DNS after I had finished updating the database on Friday for the DNSSEC Deployment Maps that were distributed this morning, I took the unusual step of re-generating the maps today after a quick database update.  Subscribers to the public dnssec-maps mailing list have all received a second set of maps for today.  Normally I might have just waited for next week but given Indonesia’s size it adds a nice bit of green to the Asia Pacific map and I wanted that to be shown.

With these two ccTLDs having their DS record in the root zone, this brings us to 97 of the 247 ccTLDs that we track in our database being signed with DNSSEC.  (There are also .EU and .SU which we consider more “regional” TLDs (and are both signed), but other lists count as ccTLDs, so you could say that we show 99 of 249 being signed.)  Given that most of the generic TLDs are signed and all the new gTLDs MUST be signed when they launch, the remaining 150 unsigned ccTLDs are the major area where attention will be focused over the next while in terms of getting TLDs signed.  ICANN’s DNS team is spending a good bit of time traveling to many of these countries to help them get their ccTLDs signed and operational.

Congratulations to the teams at .ID and .VU for getting their domains signed and linked in to the DNSSEC global “chain of trust”.  We look forward to learning that those two ccTLDs become “Operational” and second-level domains can begin uploading DNSSEC records soon.

Note – if you would like to learn more about how you can get started with DNSSEC, please visit our Start Here page to find resources tailored to your role or type of organization.

Deploy360 Domain Name System Security Extensions (DNSSEC)

Congrats To Norway’s .NO On Over 5,000 DNSSEC-Signed Domains!

Norid logoCongratulations to the Norid team on going live with DNSSEC for the .NO country-code top-level domain (ccTLD) this week!  You may recall we wrote about .NO being signed in the root zone of DNS back on November 18 (and the cake they baked to celebrate!), but this news this week now moves them to the fully “Operational” status in our DNSSEC deployment maps.

As they note on their page about the news, the .NO registry started accepting DNSSEC records from .NO domain registrants on Tuesday, December 9th.  They also indicated that they had 16 registrars (and now today I count 17).

Even better… after the first day, Norid’s Unni Solås reported on Twitter that they had passed 3,000 signed .NO domains:

and on the second day they were over 5,300:

Presumably two days later they will have even more DNSSEC-signed domains!

By the way, the Norid folks have a great DNSSEC project description (in English) that walks through the different stages of their deployment.  This could be very useful for any other ccTLDs looking to deploy DNSSEC.

Anyway… great work by the Norid team and others there in Norway – and we’re looking forward to hearing more about DNSSEC in Norway.

P.S. If you want to sign your domain with DNSSEC or enable DNSSEC validation on your network, please visit our Start Here page to find resources aimed at your type of organization or role.

Deploy360 Domain Name System Security Extensions (DNSSEC)

Australia (.AU) and Grenada (.GD) Are Latest ccTLDs To Sign With DNSSEC

Today’s DNSSEC Deployment Maps have two great new additions for country-code top-level domains (ccTLDs): Australia’s .AU domain and Grenada’s .GD domain both had their DS record published in the root zone of DNS over the past few days.  What this means is that anyone who has registered a domain in .AU or .GD may soon be able to gain the increased security of signing their own domain with DNSSEC and tying it into the “global chain of trust” of DNSSEC.  To be clear, these two ccTLDs have entered the 4th of 5 stages of DNSSEC deployment where the DNSSEC chain of trust now extends from the root of DNS to the ccTLD itself.  The next “Operational” stage is where the ccTLD starts accepting DNSSEC records from registrants.  Hopefully that time will not be far away for both of these ccTLDs.  (To get ready, please visit our Start Here page to find out how you can prepare your organization to work with DNSSEC.)

Given Australia’s large size on a map, the new “DS in Root” bright green shows up wonderfully in the global view:

Global DNSSEC Deployment map as of 1-Dec-2014

and even better in the Asia Pacific view:

Asia Pacific DNSSEC deployment map as of 1-Dec-2014

Unfortunately with the resolution of our maps you can’t really see Grenada on the Latin America map, but I can tell you that it is one of the six ccTLDs in the “DS in Root” stage in the map:

Latin America DNSSEC deployment map as of 1-Dec-2014

Congratulations to the teams at both ccTLD registries!

In the case of Australia’s .AU, the registry organization, auDA, has been experimenting with DNSSEC since back in 2008 and 2010, and signed the .AU zone back in April 2014 (entering into our “Partial” state on the maps).  The news this past week is the culmination of all that work over several years.  AuDA has also published two pages of interest:

We look forward to learning that auDA is accepting DNSSEC records from .AU registrants and enters the fully “Operational” state.

In the case of Grenada, the first we knew was when the DS record was published in the root zone (seen on stats sites like this one). I couldn’t see any further information on, so I don’t know their further plans at this point.  Regardless, it was a wonderful surprise to learn that .GD was signed and had the DS record in the root zone!

In fact, November was a great month for ccTLDs and DNSSEC with Norway’s .NO signing and Ireland’s .IE signing and also entering the “Operational” state.

All great to see!  We’re looking forward to the day when our DNSSEC deployment maps are all green!

If you want to get started with DNSSEC – or just learn more of what it is all about, please visit our Start Here page to find resources tailored for your type of organization or role.

Deploy360 Domain Name System Security Extensions (DNSSEC)

New DNSSEC Deployment Maps – Now Corrected And Updated

DNSSEC Deployment Map - Oct 14, 2014If you have been receiving our DNSSEC deployment maps by email or just using the maps from our web page, you need to know an important fact:

The maps we’ve been publishing recently have had the incorrect status set for several countries.

The maps published last week on October 14, 2014, (and the ones distributed via email today) have now been fully verified to have the correct status of all country-code top-level domains (ccTLDs).

The maps are correct today!

To explain a bit more, in preparation for last week’s DNSSEC Workshop at ICANN 51 I was puzzled by something that didn’t seem right with we were publishing.  Specifically, Australia was showing up in a September map as having a “DS in Root” when I knew for a fact that .AU did not (and could easily confirm using “dig” at the command-line).  Diving into the issue more, I discovered what happened.

One of the strengths of our set of DNSSEC deployment maps is that we track 5 stages of DNSSEC deployment versus simply showing whether they are publishing a DS in the root zone.  This allows us to do some forward projection to what we think the state of DNSSEC deployment may be in the future based on statements made by various ccTLDs about their plans for DNSSEC deployment.

But what if those plans don’t work out exactly right?

Our database contains records for each ccTLD based on both factual data (such as whether they have a DS record in the root zone) and observed information that could be from announcements, presentations at industry conferences, blog posts, email messages, etc.

In this case, there were forward-looking records for a number of ccTLDs that had been entered into the database but then had not actually happened on the projected dates.  For whatever reasons, various plans and public statements did not hit their target dates.

I spent my plane flight out to Los Angeles going through the tedious exercise of comparing our database with a list of TLDs that had a DS in the root zone, and then followed that up with further confirmations once I had Internet access in L.A.  The end result is that I identified the forward-looking records that needed to be changed and updated our database in time to generate the maps I needed for last Wednesday’s workshop.

I also identified a hole in our process where I was not routinely checking the forward-looking records to be sure that they were in fact happening.  This is all part of the learning process after we took on maintenance of these maps from Shinkuro, Inc., earlier in 2014.  Now we’ll be sure to check this in the future.

I do apologize if anyone used these maps in recent presentations over the past few months.  We’ll be working to make sure they stay updated in the time ahead.

By the way, if you do want to receive these DNSSEC deployment maps by email each week, you can subscribe to the public email list.  The maps are distributed via email each Monday morning, along with comma-separated value (CSV) files containing the DNSSEC status of all the ccTLDs and the generic TLDs (gTLDs).

And… if you want to get started with DNSSEC yourself, please visit our Start Here page to find resources aimed at your type of organization or role.