Defaults.Exposed

Defaults.Exposed › Reports

Does Mandatory DNSSEC Work? What Registry-Driven Adoption Reveals (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains, by national domain ending (a proxy for the registry’s policy, not company location). “Registry-driven” = the ending’s registry actively promotes DNSSEC through incentives or requirements — mostly registrar incentives, not legal mandates. “Valid” = a DNSSEC chain that validates; “broken” = signed but failing validation. See how we grade.

Does making registrars push DNSSEC actually move adoption? Yes — decisively — but with a catch. On endings whose registries drive DNSSEC, 9.1% of domains have a valid signature, versus just 1.3% on endings that leave it to owners — roughly 7× higher. Policy works where voluntary adoption flatlines. The catch: even in the leaders, more domains break DNSSEC than get it right — so registry pressure solves turning it on, not doing it correctly.

Does pushing DNSSEC raise adoption?

Unambiguously. Registry-driven national endings cluster around 10–18% valid DNSSEC; laissez-faire endings sit near the 1.99% global floor. Higher valid % is better; broken % is the cost of getting it wrong. As of 2026-06-29:

EndingRegistry stanceDNSSEC validBroken
.se (Sweden)Driven (registrar incentives)18.38%30.35%
.no (Norway)Driven16.59%25.24%
.sk (Slovakia)Driven16.61%25.59%
.cz (Czechia)Driven (registrar incentives)14.62%26.28%
.nl (Netherlands)Driven (registrar incentives)11.86%22.98%
.fr (France)Driven5.13%9.54%
.comLaissez-faire1.62%2.44%
.de (Germany)Laissez-faire0.92%1.60%
.uk (United Kingdom)Laissez-faire1.06%1.72%

Sweden’s 18.38% is more than ten times .com’s 1.62%. The gap isn’t about the technology — it’s the same protocol everywhere — it’s about whether someone in the chain had a reason to deploy it.

The catch: more broken than working

Here’s the uncomfortable half. In every registry-driven ending above, the broken rate is higher than the valid rate — Sweden runs 30.35% broken against 18.38% valid; the Netherlands 22.98% against 11.86%. Across all driven endings it’s 15.7% broken vs 9.1% valid.

That matters because broken DNSSEC isn’t harmless: a validating resolver will refuse to resolve a domain whose signatures don’t check out, so a misconfiguration can take the domain offline — website and email — for a slice of the internet. Driving adoption without driving correctness scales the outages alongside the protection. It’s the same execution problem the whole web shows in the DNSSEC paradox, just amplified where more domains attempt it.

Why registry policy beats leaving it to owners

DNSSEC has no forcing event for an individual owner: nothing breaks or warns if you skip it, so on a laissez-faire ending like .com adoption sits flat near 1.62% indefinitely. The registries that broke out of that did it through economics, not edicts — typically registrar incentives (discounts or rebates for signing zones) plus provider automation, which is how the Nordic, Czech and Dutch registries lifted their whole populations. It’s a clean natural experiment: same protocol, same difficulty, very different outcomes — and the difference is registry policy.

Mandate or incentive — what actually moves the needle?

Mostly incentive. Despite the “mandatory” framing the question is usually posed with, the high-adoption endings here generally encourage DNSSEC rather than legally require it; hard mandates are rarer (some governments require it for public-sector domains). The lesson for any registry: aligning registrar economics and automation toward signing works — but it should be paired with managed signing and key-rollover, or you simply manufacture more broken zones.

Frequently asked questions

Does requiring or incentivising DNSSEC actually increase adoption? Yes — about 7× in our data: 9.1% valid on registry-driven endings versus 1.3% on laissez-faire ones, as of 2026-06-29.

Which country or TLD has the most DNSSEC? Among large endings, Sweden (.se) leads at 18.38% valid — over ten times .com’s 1.62%.

If adoption is higher, is DNSSEC done correctly? Often not. In every high-adoption ending, broken DNSSEC outnumbers valid (15.7% vs 9.1% across driven endings) — and broken DNSSEC can take a domain offline.

Should a small business turn DNSSEC on? Only if it’s managed correctly — a broken signature is worse than none. Use a provider that handles signing and key rollover, and verify it validates. See how to fix DNSSEC.

Check your domain’s DNS

See whether your DNSSEC is valid, broken, or absent — and the rest of your posture — privately and free.

Check your domain → · The DNSSEC paradox → · Who runs the internet’s DNS? → · Fix DNSSEC → · Aggregate data only. Data stored and processed in the EU.