Whisper
2025 State of DNSSEC

Only 0.0%
of the internet is
cryptographically secured

We analyzed 0 domains. Only 0 use DNSSEC.

gTLD zone file analysisDecember 2025905 TLDs covered

Explore the Data
Chapter 1

The Scale of the Problem

DNSSEC protects DNS queries from tampering. Yet only a tiny fraction of domains have it enabled.

0
Domains Analyzed
0
TLDs Covered
0
Countries
0
Networks (ASNs)
0
Unique ISPs
Internet Service Providers hosting DNSSEC domains
0
Unique Registrars
Domain registrars with DNSSEC-enabled domains

Among DNSSEC-signed domains in gTLD zone files. Country-code TLDs (.uk, .de, .jp) not included.

“The largest DNSSEC analysis ever conducted reveals that the vast majority of the internet remains vulnerable to DNS cache poisoning and man-in-the-middle attacks.”
Year-over-Year

8% Growth in 2025

DNSSEC adoption is accelerating. Emerging markets and developer-focused TLDs are leading the charge.

Comparing December 2025 vs December 2024 snapshots from gTLD zone file analysis

Total Domains7.6%
209,387,208
vs 194,619,487 in 2024
Adoption Rate2.2%
4.7%
vs 4.6% in 2024
TLDs1.7%
1,523
vs 1,498 in 2024
Countries3.8%
189
vs 182 in 2024
ECDSA Usage24.8%
40.3%
vs 32.3% in 2024

Fastest Growing Countries

By DNSSEC-signed domain count growth

Fastest Growing TLDs

By DNSSEC-signed domain count growth

2025 Year in Review

DNSSEC adoption grew by 7.6% year-over-year, with emerging markets leading the charge. The shift to modern ECDSA algorithms accelerated, now representing 40.3% of all signed domains.

Chapter 2

The Geography of Security

DNSSEC adoption varies dramatically by region. Infrastructure concentration creates single points of failure.

Country attribution based on DNS infrastructure geolocation, not organization headquarters.

World Map
Fewer domains
More domains

Top Countries

Top ISPs

1google llc
4,127,199
2cloudflare inc
2,323,241
3ovh sas
931,051
4onecom as
379,733
5neustar security services
218,092
6signet bv
214,335
Market Analysis

TLDs & Registrars

Domain extensions and registrars play a crucial role in DNSSEC adoption. Some registrars make it easy, others don't.

Top TLDs (Domain Extensions)

905 total TLDs in our dataset

Domain counts among DNSSEC-signed domains only

Top Domain Registrars

1GoDaddy
354,575
2Namecheap
83,094
3Tucows
68,470
4eNom
47,890
5Network Solutions
45,869
6Dynadot
38,542
7TurnCommerce, Inc. DBA NameBright.com
37,437
8Squarespace Domains II LLC
35,940

6593 unique registrars with DNSSEC domains

Registrar data from WHOIS records of signed domains

Registrar Impact on DNSSEC Adoption

Domain registrars have significant influence over DNSSEC adoption. Registrars that make DNSSEC easy to enable see higher adoption rates. Some automatically enable DNSSEC by default, while others require manual configuration.

Chapter 3

A Handful of Providers

Control the Keys

The top autonomous systems host a disproportionate share of DNSSEC infrastructure.

ASN data identifies networks hosting DNS nameservers for DNSSEC-signed domains.

#1

google llc

AS15169

4,064,218

domains

41.2%
#2

cloudflare inc

AS13335

2,323,239

domains

23.5%
#3

ovh sas

AS16276

931,051

domains

9.4%
#4onecom as(AS197495)
379,7333.8%
#5neustar security services(AS12008)
216,3512.2%
#6signet bv(AS20857)
214,3072.2%
#7f5 inc(AS55002)
170,5961.7%
#8domeneshop(AS12996)
126,7241.3%

Concentration Risk

High concentration in a few providers creates systemic risk. Any outage or compromise at these providers would have outsized impact on global DNS security.

Chapter 4

The Algorithm Landscape

DNSSEC supports multiple cryptographic algorithms. Modern elliptic curve algorithms offer better security and performance.

Distribution of cryptographic algorithms among DNSSEC-signed domains

9,926,664Total Domains
RSA/SHA-256Legacy
Algorithm 8
5,746,231
57.9%
ECDSA P-256Recommended
Algorithm 13
3,913,219
39.4%
Ed25519Recommended
Algorithm 15
144,806
1.5%
ECDSA P-384Recommended
Algorithm 14
64,536
0.7%
RSA/SHA-512Legacy
Algorithm 10
24,429
0.2%
Algorithm Reference
13: ECDSA P-256
14: ECDSA P-384
8: RSA/SHA-256
15: Ed25519
Key Insight

Most Popular Sites Are 2.7x More Secure

The world's most popular websites adopt DNSSEC at nearly three times the global rate. Security correlates with organizational maturity.

All 209M Domains
4.7%
~9.9 million domains secured
Tranco Top 1M Sites2.7x higher
12.6%
18,061 secured domains in Top 1M
Based on 143,509 gTLD domains in scope

14.3% of Top 1M sites use gTLDs. Many top sites use ccTLDs (.uk, .de, .ru) not in this analysis.

2024 → 2025
+31.2%
more secured domains
13,76618,061
Adoption Rate Change
+2.27pp
percentage point increase
10.3% → 12.6%
Key Insight
Top sites are adopting DNSSEC 3x faster than the global average
31% growth vs 10% globally

Why the difference?

High-traffic websites have stronger security teams, compliance requirements, and more to lose from DNS attacks. The gap shows that DNSSEC adoption correlates with organizational security maturity.

Top TLDs by Adoption (in Top 1M)

DNSSEC adoption rates among gTLD domains appearing in the Tranco Top 1M list

The Extremes

From 100% to 0%

Some TLDs mandate DNSSEC by policy. Others have completely ignored it. The contrast is striking.

100% Secured

TLDs with perfect adoption

Why? These are regulated industry TLDs where DNSSEC is mandated by registry policy. Financial services lead the way.

0% Secured

Large TLDs with zero adoption

Surprising: Major brand TLDs like .toyota and .canon have zero DNSSEC adoption despite owning their entire namespace.