DNSSEC Gaps
5.30% of 269.7M domains across 1,436 TLDs have DNSSEC enabled.
Analysis by Ishan Karunaratne · Data from 2026-05-25
DNSSEC Adoption Rate
5.30%
Domains Signed
14,300,360
Domains Unsigned
255,392,167
Domains Analyzed
269,692,527
These figures are computed from 269,692,527 domains across 1,436 indexed top-level domains (snapshot: May 25, 2026). Coverage is limited to TLDs with publicly accessible zone files; private DNS, internal records, and ccTLDs without published zone data are not represented in this measurement.
DNSSEC Leaders
| TLD | Domains | DNSSEC % |
|---|---|---|
| .bank | 2,400 | 100.00% |
| .insurance | 163 | 100.00% |
| .crs | 566 | 95.05% |
| .sbi | 121 | 91.74% |
| .fox | 312 | 66.35% |
| .se | 1,446,635 | 59.91% |
| .nu | 199,585 | 56.36% |
| .ch | 2,627,829 | 52.86% |
| .christmas | 15,183 | 49.80% |
| .surf | 22,975 | 48.13% |
| .gent | 3,800 | 46.47% |
| .garden | 103,327 | 45.65% |
| .ovh | 87,012 | 37.62% |
| .frl | 10,217 | 35.00% |
| .page | 38,807 | 32.98% |
| .tattoo | 8,652 | 32.80% |
| .li | 71,835 | 32.53% |
| .coupons | 7,852 | 31.09% |
| .corsica | 2,399 | 30.64% |
| .vlaanderen | 5,335 | 28.88% |
Lowest DNSSEC Adoption
| TLD | Domains | DNSSEC % |
|---|---|---|
| .企业 (.xn--vhquv) | 2,861 | 0.00% |
| .kred | 1,653 | 0.00% |
| .cn | 1,435 | 0.00% |
| .kyoto | 990 | 0.00% |
| .cc | 273 | 0.00% |
| .lundbeck | 272 | 0.00% |
| .toyota | 254 | 0.00% |
| .娱乐 (.xn--fjq720a) | 239 | 0.00% |
| .weir | 191 | 0.00% |
| .中信 (.xn--fiq64b) | 170 | 0.00% |
| .citic | 157 | 0.00% |
| .餐厅 (.xn--imr513n) | 150 | 0.00% |
| .gmo | 124 | 0.00% |
| .protection | 106 | 0.00% |
| .在线 (.xn--3ds443g) | 35,409 | 0.01% |
| .realtor | 28,677 | 0.01% |
| .公司 (.xn--55qx5d) | 21,772 | 0.01% |
| .рус (.xn--p1acf) | 19,728 | 0.01% |
| .网络 (.xn--io0a7i) | 16,058 | 0.01% |
What Is DNSSEC and Why Does Adoption Matter?
DNSSEC (DNS Security Extensions) is a suite of specifications defined in RFC 4033, RFC 4034, and RFC 4035 that add cryptographic authentication to DNS responses. When DNSSEC is enabled, every DNS response includes digital signatures that allow resolvers to verify the response hasn’t been tampered with in transit. Without DNSSEC, DNS responses are unauthenticated — a resolver has no way to confirm that the IP address it received actually came from the domain’s authoritative nameserver.
This lack of authentication enables cache poisoning attacks (also known as Kaminsky attacks, after Dan Kaminsky’s 2008 disclosure). In a cache poisoning attack, an attacker injects forged DNS responses into a resolver’s cache, redirecting users to attacker-controlled servers. Mitigations described in RFC 5452 (source port randomization) reduce the attack surface but do not eliminate it — only DNSSEC provides cryptographic proof of DNS response authenticity.
Despite being standardized since 2005, DNSSEC adoption remains low across most gTLDs. DNS Checker tracks DNSSEC adoption by checking for DS (Delegation Signer) records in zone files — the presence of a DS record indicates that the domain has DNSSEC enabled and the parent zone has a trust anchor for validation.
How DNS Checker Measures DNSSEC Adoption
DNSSEC adoption is measured by checking for DS (Delegation Signer) records in TLD zone files. A DS record in a zone file indicates that the domain owner has configured DNSSEC signing at their DNS provider and the registry has published the trust anchor. DNS Checker counts DS records per TLD and computes adoption rates as a percentage of total domains in each zone.
The analysis distinguishes between TLDs with high DNSSEC adoption (often driven by registry policies or ccTLD mandates) and those with low adoption (typically gTLDs where DNSSEC is optional). The aggregate adoption rate shown above is computed across the full dataset of domains DNS Checker observes via TLD zone files — primarily gTLDs and the ccTLDs that publish zone data. ccTLDs without zone-file access (for example, .cn, .ru, and most country-code TLDs that do not participate in ICANN CZDS or open AXFR), private DNS zones, and internal records are not represented, so the figure should be read as DNSSEC adoption within DNS Checker's measurable surface — not a complete global count.
The dataset is refreshed daily from zone-file ingestion. Per-TLD figures and the dataset size shown in the stats above reflect the most recent snapshot date listed below the page heading.
How to Enable DNSSEC for Your Domain
- Check if your DNS provider supports DNSSEC. Most major providers (Cloudflare, AWS Route 53, Google Cloud DNS, NS1, Dyn) support one-click DNSSEC activation.
- Enable DNSSEC signing at your DNS provider. This generates DNSKEY records and starts signing all DNS responses for your zone.
- Add the DS record to your domain’s parent zone via your domain registrar. Your DNS provider will give you the DS record values (key tag, algorithm, digest type, digest) to enter at your registrar.
- Verify DNSSEC is working using the DNS Checker DNS Inspector or tools like dnsviz.net. Check that the entire chain of trust validates from the root zone down to your domain.
- Monitor for DNSSEC validation failures, especially during key rollovers. Misconfigured DNSSEC (e.g., expired signatures or mismatched DS records) can make your domain completely unreachable to validating resolvers.
Frequently Asked Questions
How many domains and TLDs were analyzed for this DNSSEC measurement?
The adoption rate shown above is computed from every domain DNS Checker observes through TLD zone-file ingestion — currently in the hundreds of millions of domains across well over a thousand top-level domains. The exact dataset size and TLD count are shown in the stats panel and refresh daily; the snapshot date appears directly under the page heading. The figure is not an estimate or sample, it is a direct count of DS records present in those zones.
Why does this DNSSEC adoption rate differ from other published figures?
Published DNSSEC adoption figures vary because they measure different surfaces. Some studies sample a fixed list of TLDs, some restrict to gTLDs only, some weight by Tranco-style popularity rather than counting every registration, and academic snapshots are often months or years out of date. The rate on this page is a direct count from the latest TLD zone-file snapshot DNS Checker has ingested. ccTLDs that do not publish their zone files (notably .cn and .ru) are not represented; if they were, the global rate would shift accordingly.
What is a cache poisoning attack?
A cache poisoning attack (Kaminsky attack) involves an attacker injecting forged DNS responses into a resolver’s cache. When successful, the resolver serves the forged response to all users, redirecting them to attacker-controlled servers. This can be used for phishing, malware distribution, or traffic interception — all without any visible change to the domain name in the user’s browser.
Why is DNSSEC adoption still low?
DNSSEC adoption remains low due to several factors: added complexity in DNS management, risk of making a domain unreachable if misconfigured, lack of visible user-facing benefit (no browser indicator), registrar/provider support gaps, and the perception that source port randomization (RFC 5452) is sufficient protection. However, source port randomization only raises the bar for attacks — it does not provide cryptographic proof of authenticity.
Can DNSSEC break my domain?
Yes, misconfigured DNSSEC can make your domain unreachable to validating resolvers (which include all major public resolvers like Google 8.8.8.8 and Cloudflare 1.1.1.1). Common issues include expired RRSIG signatures, mismatched DS records after provider migrations, and failed key rollovers. This is why monitoring DNSSEC validation status is critical.
What is a DS record?
A DS (Delegation Signer) record is published in the parent zone (e.g., the .com zone for a .com domain) and creates a chain of trust between the parent and child zone. It contains a hash of the child zone’s DNSKEY, allowing resolvers to verify that the child zone’s DNSSEC signatures are authentic. Without a DS record in the parent zone, DNSSEC validation cannot occur.