As I was entering in data for the weekly DNSSEC Deployment Maps, I was struck by the fact that we are now at the point where 617 of the 795 top-level domains (TLDs) are now signed with DNSSEC.

You can see this easily at Rick Lamb’s DNSSEC statistics site:

This represents 77% of all current TLDs!

Now, granted, most of that amazing growth in the chart is because all of the “new generic TLDs” (newgTLDs) are required to be signed with DNSSEC, but we are still seeing solid growth around the world. If you look at the most recent DNSSEC Deployment Maps you can see that much of the world is being shown as “green” as more and more country-code Top Level Domains (ccTLDs) sign with DNSSEC:

Of course, having a TLD signed doesn’t mean that the second-level domains will be signed with DNSSEC. As various DNSSEC statistics sites will show, the percentage of signed second-level domains varies widely, from around 80% in .GOV down to tiny percentages in other TLDs.

BUT… the key point is that the first step in signing your domain is to be sure that your TLD is signed!

After the TLD has been signed, THEN steps can be taken to get more DNSSEC deployment happening underneath that TLD. Look at how successful Norway has been with .NO after they recently signed the domain!

With some of the work that is happening via various DNSSEC Workshops, ICANN’s DNSSEC training and other forums I know that we’ll see more and more of the TLDs being signed in the months ahead. The excuse that “TLDs are not signed with DNSSEC” can no longer be used as an excuse for NOT working with DNSSEC and DANE.

It’s great to see this growth in the signing of TLDs and we look forward to the rest of the TLDs being fully signed in the time ahead.

(An earlier version of this post was posted on the Internet Society Deploy360 blog.)