CZ.NIC, z.s.p.o, is an interest association of legal entities, founded in 1998 by leading providers of Internet services in the Czech Republic. The principal duties and activities of the association include operation of the .CZ domain registry and DNS servers for the .CZ top-level domain (TLD).

The annual domain report is an on-line publication that offers key statistical facts about the status and dynamics of the Czech country-code TLD (ccTLD), which is primarily used by subjects in the Czech Republic – individuals and organisations.

The graphs and tables are organised into several sections illustrating various aspects of the registry and domain operation. Most charts are interactive: additional information can be obtained by placing the mouse cursor over graphical components of such a chart. In multivariate graphs, each variable can be switched off or on by clicking on the corresponding entry in the legend.

Domain Registrations

After a period of accelerated growth during the covid years, in the last two years the total number of .CZ domains shows signs of saturation again. In 2023, the year-over-year increase was only 0.4%, which is even less than the YoY increase in 2019. The number of second-level domains registered under .CZ reached 1 468 788 by the end of 2023.

The following chart shows monthly domain registrations during the last four years. Again, the numbers are quite similar to pre-covid years and follow the typical camel-like shape with a maximum in March and another (usually smaller) peak in October-December.

Registrars

Market shares of leading registrars and their dynamics are displayed in the following table and graph, respectively. The rightmost table column shows approximate percentages of parked domains in the portfolio of each registrar. Parked domains were classified by a machine-learning algorithm with an accuracy of 92%.

Registrar Domains Parked (%)
INTERNET-CZ 310 152 8
WEDOS 295 985 25
ACTIVE24 190 335 32
GRANSY 153 002 11
WEBGLOBE 143 147 13
other 128 532 20
ZONER 63 933 28
MEDIA4WEB 54 940 5
WEB4U 47 213 28
THINLINE 31 263 31
1API 28 664 18
TELE3 21 570 13

Web Contents

The following bar charts give the results of an automatic classification of all second-level domains according to the contents of their “home” web pages. A machine learning algorithm was applied to the source data provided by DNS crawler. See ADAM Report 2/2020 for details.

The graph on the left gives a baseline classification into seven classes. Ordinary domains denote all domains that do not fall into one of the other six categories. A detailed breakdown of this category into subcategories with specific contents is shown on the right.

Domain Geography

Each domain is registered for a concrete domain holder, which may be a person or a company – either holder category has a share of almost exactly 50%. Obviously, most of the .CZ domains (1 326 810, i.e. 90.33%) have holders with Czech addresses. The following table and map show their distribution among the 14 regions of the Czech Republic, as well as the number of domains per 100 citizens. The regions with the highest relative increase in the number of domains are Jihomoravský (2.8%) and Středočeský (2.55). On the other hand, we observe a decrease of 2.4% for Praha, which is unusual and likely to be caused by the verification of domain holder addresses performed in 2023.

Region Domains per 100 citizens
Praha 417 315 31.65
Jihomoravský 164 903 13.85
Středočeský 143 103 10.36
Moravskoslezský 100 851 8.40
Zlínský 64 051 10.99
Jihočeský 55 852 8.68
Ústecký 52 382 6.38
Pardubický 50 179 9.62
Královéhradecký 50 169 9.10
Olomoucký 46 607 7.37
Plzeňský 45 779 7.78
Vysočina 38 665 7.58
Liberecký 38 503 8.68
Karlovarský 16 077 5.46
Unknown 42 374

The share of domains held by foreign holders is currently 9.67%. The distribution of domains among top-ten countries of their domicile are shown in the table below.

Country Domains
United States 33 742 33742
Slovakia 27 825 27825
Germany 17 148 17148
Poland 7 447 7447
China 7 350 7350
United Kingdom 6 316 6316
France 5 027 5027
Netherlands 3 992 3992
Italy 2 945 2945
Switzerland 2 825 2825
Other 27 361 27361

The following slope graph shows the changes of the above domain counts in the last three years. The previous rapid increase for USA slowed down whereas the number of domains held by Chinese and Italian holders dropped down significantly.

The world-wide distribution of .CZ domain holder addresses is in the following zoomable map. Obviously, a vast majority of holders are concentrated in Western Europe and USA. In 2023, new domain holders emerged, for example, in Benin, Kyrgyzstan and Laos.

Domain Names

Each second-level domain is identified in the .CZ registry by a unique label (the part before .cz). CZ.NIC requires labels to obey rules of RFC 1035 that restricts the character set to lower- and upper-case letters of the English alphabet, digits and the hyphen symbol (“-”), and label length to 63 characters. The distribution of label lengths is shown in this histogram:

Excessively long domain names are of course not very convenient, so only eight of the .CZ domains have their labels with the maximum length. On the other hand, short labels are much more popular as demonstrated in the following table showing “occupancy” of the label space at the four shortest lengths. In particular, we can see that all single- and double-letter domains are already registered. For lengths of five or more, the label space is so vast that all registered domains only take a negligible fraction of all possibilities.

Label length Possibilities Registered % Registered
1 36 36 100
2 1 296 1 296 100
3 47 952 19 212 40
4 1 772 928 40 726 2

DNS Traffic

CZ.NIC currently operates 74 physical DNS servers for the .CZ zone, distributed in 14 countries of all continents except Antarctica. The number of servers has been reduced by more than one third since 2020, mainly due to the deployment of XDP that considerably increases the DNS server performance so that less hardware is needed.

On the average, the servers are queried by 1.53 million distinct resolvers every day that send around 18.8 thousand DNS queries per second (QPS). The resolvers’ requests are delivered to the “closest” server based on IP anycast routing configuration. The resulting global communication pattern is depicted in the following diagram showing average QPS distribution from top-15 countries in 2023.

In 2023, CZ.NIC deployed two new anycast nodes in Johannesburg (March) and Sydney (August). The significant decrease of the clients’ average round-trip time for both locations is clearly visible in the next graph.

DNS over IPv6

IPv6 adoption in the DNS has several aspects. From a statical point of view, a significant majority of second-level domains have authoritative DNS servers answering queries on both IPv4 and IPv6, as demonstrated in this pie chart:

The following two graphs, however, show that IPv6 is still a minority protocol in the traffic observed on both authoritative servers for .CZ and the public ODVR resolver.

DNSSEC

DNS Security Extensions (DNSSEC) use public key cryptography for securing DNS data. In the past fifteen years, CZ.NIC has been investing a lot of effort into dissemination and actual deployment of DNSSEC in second-level domains. The .CZ domain was among the first top-level domains to implement DNSSEC. CZ.NIC also actively encourages second-level domain administrators to use automatic DNSSEC provisioning via CDS and CDNSKEY resource records (see RFC 7344 and 8078).

DNSSEC Deployment

The following graph shows the number of DNSSEC-secured second-level domains (blue bars) in comparison to the total number of .CZ domains (black line).

Tha absolute count of domains supporting DNSSEC has been slightly decreasing for two consecutive years, in spite of an increase in the total number of domains. The relative share of DNSSEC-secured domains is currently 57.3%.

DNSSEC Algorithms

An important operational aspect of a robust DNSSEC deployment is the selection of a cryptographic algorithm. The following chart shows how the mix of cryptographic algorithms in the .CZ domain evolved since 2008.

We can see that the migration from the once-dominant algorithms RSASHA1 and RSASHA1-NSEC3-SHA1, which use the weak cryptographic hash function SHA-1, is almost complete, their share is now less than 3.5%. More than 72% domains use algorithms based on elliptic curves.

DANE

DANE (DNS-based Authentication of Named Entities) is a technology that uses the DNS hierarchy together with DNSSEC to validate authenticity of X.509 digital certificates.

Out of 745 506 unique mail servers specified in MX records for all .CZ second-level domains, 959 (0.13%) had a corresponding DANE TLSA record. Due to the concentration of mail services, the fraction of .CZ domains using DANE-protected servers is significantly higher: 10.35% (152 003 domains).

As shown in the next graph, the number of domains with DANE-protected mail servers (on the prevalent port 25) decreased quite significantly in 2023.

Server Software

This section illustrates estimated evolution of market shares achieved by various implementations of the most common Internet services – DNS, WWW and email – based on data obtained by the DNS crawler tool. A caveat of this approach is that the numbers largely depend on the willingness of server administrators to disclose the correct information.

If a domain uses multiple servers with different implementations of a given server, then the same domain is counted repeatedly for all implementations.

Authoritative DNS Servers

The following time series plot shows the numbers of domains that use the most popular implementations of authoritative DNS servers, separately for IPv4 and IPv6. Knot DNS, a software project developed by CZ.NIC, is now probably the leading implementation for both versions of the IP protocol.

Web Servers

Web services within the .CZ domain are mostly run on Apache and NGINX servers. The following graph indicates that the OpenResty has been gaining ground in 2023.

Mail Servers

Finally, the following graph shows market shares of main mail servers. Of the second-level domains with a detected implementation, most is served by Postfix, although its popularity appears to be slightly declining in the last two years.