Domain Report 2021
CZ.NIC, z.s.p.o, is an interest association of legal entities, founded in 1998 by leading providers of Internet services in the Czech Republic. The principal duties and activities of the association include operation of the .CZ domain registry and DNS servers for the .CZ top-level domain (TLD).
The annual domain report is an on-line publication that offers key statistical facts about the status and dynamics of the Czech country-code TLD (ccTLD), which is primarily used by subjects in the Czech Republic – individuals and organisations.
The graphs and tables are organised into several sections illustrating various aspects of the registry and domain operation. Most charts are interactive: additional information can be obtained by placing the mouse cursor over graphical components of such a chart. In multivariate graphs, each variable can be switched off or on by clicking on the corresponding entry in the legend.
Domain Registrations
In the previous domain report we observed accelerated growth of the number of domains due to the effect of the COVID-19 pandemic. This trend continued in 2021: the number of domains rose to more than 1.42 million, meaning a 3.8% year-over-year increase and a 7.1% increase since the end of 2019.
The following chart shows monthly domain registrations in the last three years. In 2021, the periods of largest increases (January–March and November–December) coincide with the outbreaks of the pandemic in the Czech Republic.
Domain Geography
Each domain is registered for a concrete domain holder, which may be a person or a company – either holder category has a share of almost exactly 50%. Obviously, most of the .CZ domains (1.31 million, i.e. 91.8%) have holders with Czech addresses. The following table and map show their distribution among the 14 regions of the Czech Republic, as well as the number of domains per 100 citizens. The regions with the highest relative year-over-year increase in the number of domains are Praha (0.84%) and Zlínský (0.49%), and the region with the lowest relative increase in 2021 is Vysocina (0.08%).
| Region | Domains | per 100 citizens |
|---|---|---|
| Praha | 420 208 | 31.87 |
| Jihomoravský | 159 177 | 13.37 |
| Středočeský | 137 808 | 9.97 |
| Moravskoslezský | 98 589 | 8.21 |
| Zlínský | 61 104 | 10.48 |
| Jihočeský | 55 230 | 8.58 |
| Ústecký | 52 239 | 6.36 |
| Pardubický | 49 454 | 9.48 |
| Královéhradecký | 48 581 | 8.81 |
| Olomoucký | 45 548 | 7.21 |
| Plzeňský | 44 170 | 7.50 |
| Vysočina | 37 697 | 7.39 |
| Liberecký | 37 595 | 8.48 |
| Karlovarský | 15 843 | 5.38 |
The share of foreign domain holders is currently 8.2%. The distribution of domains among top ten countries of their domicile are shown in the table below.
| Country | Domains | ||
|---|---|---|---|
Slovakia
|
Slovakia | 26 672 | 26672 |
Germany
|
Germany | 14 478 | 14478 |
United States
|
United States | 13 149 | 13149 |
China
|
China | 6 949 | 6949 |
France
|
France | 6 566 | 6566 |
Poland
|
Poland | 5 586 | 5586 |
United Kingdom
|
United Kingdom | 5 185 | 5185 |
Netherlands
|
Netherlands | 4 074 | 4074 |
Bahamas
|
Bahamas | 3 619 | 3619 |
Switzerland
|
Switzerland | 3 161 | 3161 |
| Other | 27 417 | 27417 |
The changes in last three years are shown in the following slope graph. The growth of Bahamas observed last year still continues but already shows signs of saturation. Slovakia, China, USA and France show a clear upward trend, whereas Germany continued a slow decrease. Somewhat surprising is the fact that Austria, despite geographical proximity and long common history, assumes 13th place with 2533 domains, comparable to Malaysia.
The following zoomable map captures world-wide distribution of .CZ domain holder addresses. Most holders are in the northern hemisphere (Europe and North America), but some .CZ domains are registered in exotic countries such as Mongolia, Nepal, Bolivia, various Caribbean islands or sub-Saharan countries.
Domain Names
Each second-level domain is identified in the .CZ registry by a
unique label (the part before .cz). According to
RFC 1035, it
may consist of at most 63 characters. Excessively long domain names are
of course not very convenient, so only five of the .CZ domains have
their labels with the maximum length. On the other hand, short labels
are much more popular. In particular, all 36 one-character labels (26
letters and 10 digits) are already taken.
The following histogram shows the actual distribution of label length. The median is 10 characters.
DNS Traffic
CZ.NIC currently operates more than 120 DNS servers for the .CZ zone, distributed in 12 countries of 4 continents. On the average, they are contacted by about 1.25 million distinct resolvers every day that send around 16 thousand DNS queries per second (QPS). The resolvers’ requests are delivered to the “closest” server based on IP anycast routing configuration. The resulting global communication pattern is depicted in the following diagram showing average QPS distribution from top-15 countries in the last three months of 2021. The significant volume of traffic originating in the United States comes mostly from large US-based content providers.
DNS over IPv6
The following graph shows that a significant majority of second-level domains already have authoritative DNS servers answering queries on both IPv4 and IPv6. To make the figures complete, we have to add 4 domains that only have IPv6 DNS servers.
NOTE: The above results are not comparable to those published in previous domain reports due to a different classification method: we now also take into account domains whose DNS servers are outside the .CZ domain.
In terms of DNS traffic, the share of IPv6 is considerably smaller – one third for the authoritative DNS servers, and less than one tenth for the public ODVR resolver:
DNSSEC
DNS Security Extensions (DNSSEC) use public key cryptography for
securing DNS data. In the past decade, CZ.NIC has been investing a lot
of effort into dissemination and actual deployment of DNSSEC in
second-level domains. The .CZ domain was among the first top-level
domains to implement DNSSEC. CZ.NIC also actively encourages
second-level domain administrators to use automatic DNSSEC provisioning
via CDS and CDNSKEY resource records (see RFC 7344 and 8078).
DNSSEC Deployment
The following graph shows the growing number of DNSSEC-secured second-level domains (blue bars) in comparison to the total number of .CZ domains (black line).
Despite the absolute increase in DNSSEC-secured domains, their relative share among all second-level domains decreased in 2021, currently being 59.5%. The reasons are not easy to identify, a detailed analysis of this trend is planned for 2022.
DNSSEC Algorithms
An important operational aspect of a robust DNSSEC deployment is the selection of a cryptographic algorithm. The following chart shows how the mix of cryptographic algorithms in the .CZ domain evolved since 2008.
As we can see, RSASHA1 had been an absolutely dominating algorithm until 2015 (RSASHA1-NSEC3-SHA1 is the same, only serves certain backward compatibility purposes). This algorithm uses the SHA-1 cryptographic hash function that is known to be weak but, according to the current recommendations still poses no significant threats to DNSSEC integrity. The previous chart indicates that the migration to more secure craptographic algorithms is almost finished, as less than 5% second-level domains in .CZ still use those weaker algorithms.
DANE
DANE (DNS-based Authentication of Named Entities) is a technology that uses the DNS hierarchy together with DNSSEC to validate authenticity of X.509 digital certificates.
Out of 696,940 unique mail servers specified in MX
records for all .CZ second-level domains, 462
(0.07%) had a corresponding DANE TLSA
record. Due to the concentration of mail services, the fraction of .CZ
domains using DANE-protected servers is significantly higher –
11.1% (158,450 domains). Their
distribution among the three most commonly used TCP ports is shown in
the following histogram:
We also identified 195 domains with DANE records for
web services running on either www.<domain>.cz or
<domain>.cz. This means a small increase of 14.7%
compared to the previous year, but this count is still negligible and a
more widespread use of DANE for web browsing is nowhere in sight.
Server Software
This section contains estimates of the market shares achieved by implementations of the most common Internet services: DNS, web and e-mail. Data was obtained by querying all second-level domains using the DNS crawler tool in December 2021. We have slightly improved the algorithms for identifying implementations, but the results should still be taken with a grain of salt as they mostly depend on the willingness of server administrators to disclose the correct information.
Quite often, a domain uses multiple servers for a given service. If these servers use different implementations, then the same domain is counted for all implementations.
Web Servers
Web services in the .CZ domain are mostly run on Apache and NGINX servers. The following histogram
shows market shares of most common web server implementations detected
for the “main” page of each second-level domain, i.e. either
www.<domain>.cz or just
<domain>.cz.
Mail Servers
Finally, the following table shows the market shares of mail server
implementations. Included are all servers specified in MX
records of second-level domains.
| Software | Domains | Hosts |
|---|---|---|
| Unknown | 3 334 086 | 1 819 201 |
| Postfix | 640 681 | 212 381 |
| Exim | 72 745 | 17 765 |
| Microsoft | 38 409 | 34 866 |
| IceWarp | 22 653 | 17 938 |
| Haraka | 12 095 | 351 |
| Sendmail | 9 176 | 1 147 |
| Kerio | 3 647 | 1 966 |
| qmail | 557 | 30 |
| Symantec | 451 | 141 |
| Barracuda | 249 | 55 |
Web Contents
DNS crawler is also used for downloading web page contents of all second-level domains, see the project description for details. In the previous domain report we submitted the collected data to a baseline automatic classifier and then performed more detailed manual classification on a sample taken from “normal” websites.
For the present edition we used an experimental machine learning
model for a detailed classification of all second-level
domains, based on the same categories as the combined classification
last year. We developed an SVM
classifier based on TF-IDF and
trained it with a manually classified sample of 1250 domains. The
classifier prediction is not absolutely precise but good enough to make
inferences (f-score = 0.82). Achieving a better performance
will probably require an extensive training dataset and some changes in
the content categories.
Detailed results of the automatic classification of web content collected on 23 December 2021 are presented in the chart below.