Home / Blogs

DNSSEC Deployment Reaching Critical Mass

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Ram Mohan

Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point. Thanks to the combined efforts of registries around the world, the new security protocol will soon be available to the majority of domain name registrants in almost a quarter of all TLDs.

As a reminder, DNSSEC — Domain Name System Security Extensions — is a trust upgrade to the decades-old DNS protocol. Using DNSSEC, resolvers are able to ensure that no one or nothing has tampered with DNS messages by validating their cryptographic signatures. The technology goes a long way in protecting Internet users from attacks, like cache poisoning, that have the potential to undermine the trust we all place in electronic commerce.

According to ICANN's latest statistics, more than 20% of the world's TLDs have now implemented DNSSEC in their zones: 69 are signed, and 62 have also published the signatures in the root zone, meaning they are fully DNSSEC-compatible. This rapid uptake has been driven by the concerted efforts of TLD registries. Since the landmark DNSSEC signing of .org in 2010, Afilias has been rolling out the technology to all of the gTLDs and ccTLDs for which we provide registry services as part of our "Project Safeguard." Registrants of .info domains can now use DNSSEC, and we have also announced the signing of the .in, .me, .gi, .mn and .sc zones, among others.

Other ccTLDs have also recently been signed, but two of the largest recent DNSSEC deployments have occurred in .net and .com, which together account for more than half of the world's existing domain name registrations. While the .net implementation is now complete, .com is currently serving DNSSEC information that deliberately cannot be validated. The .com domain will not be fully "switched on" until the end of the month. When this happens, of the seven "original" gTLDs, only .mil and .int will remain unsigned.

DNSSEC availability in .com will also prove to be a landmark in terms of raising awareness among domain name registrants. It's great that so many TLDs are being signed, but this is of little use to Web surfers until second-level registrants also begin to sign their zones. Registrars are already launching services to simplify what is a complex technology to deploy and manage, but these need to be used.

When major corporations that have their primary website at a .com domain begin to publicly deploy the technology, DNSSEC will likely begin to market itself in a viral manner. Much like a newly launched TLD needs well-known brands to adopt its domains, a few big "anchor tenants" will also prove priceless for spreading the word about DNSSEC. When major e-commerce, financial services and social networking sites start to openly embrace the specification, it should become a competitive imperative for others to do the same so that they avoid appearing less secure than their rivals. With a bit of luck, at this time next year, I will be writing about the encouraging level of DNSSEC adoption at the second level of the domain name system, rather than at the top level.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNS Security, ICANN, Security, Top-Level Domains



Truly a great start for DNSSEC, Ram. Howard Baldwin  –  Mar 23, 2011 8:52 AM PDT

Truly a great start for DNSSEC, Ram. Thanks for the update. For more on the hows and whys of DNSSEC implementation, check out this white paper from Verisign: http://resources.cio.com/ccd/show/200001949/00116440024019CIO0ZL4SM68V3/

About me: http://bit.ly/fQZRHb

DNSSEC resources Ram Mohan  –  Mar 23, 2011 10:43 AM PDT


Thank you for the kind words - DNSSEC is a major international undertaking, and it is neat to see it go mainstream after so many years of what felt like pushing on a string.

Several excellent resources exist for more information on DNSSEC:
DNSSEC Information & Tools - http://pir.org/dnssec
DNSSEC Resource Centerr - http://www.afilias.info/dnssec
DNSSEC Deployment Initiative - http://dnssec-deployment.org/
DNSSEC Tools Project - http://dnssec-tools.org/
NamesBeyond DNSSEC - DNSSEC Registrar, http://www.namesbeyond.com/dnssec
DNSSEC Industry Coalition - http://dnsseccoalition.org/website/

For the technically minded, the IETF has published several RFCs on DNSSEC:
RFC 4310: Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
RFC 4033: DNS Security Introduction and Requirements
RFC 4641: DNSSEC Operational Practices


Don't forget the resolver side Marco Davids  –  Mar 23, 2011 10:57 AM PDT

Let's not forget the resolver side.

Are you ready to do DNSSEC validation?


Resolver tools Ram Mohan  –  Mar 23, 2011 1:36 PM PDT

You're totally right - the resolver side gets more and more important as DNSSEC hits the mainstream.

Tools like the one above (SIDN) are very useful.

In addition, there are several validating resolvers:
DNS OARC - https://www.dns-oarc.net/oarc/services/odvr
DNSSEC Reply Size Test Tool - https://www.dns-oarc.net/oarc/services/replysizetest

A reasonably comprehensive look at tools is available here:
DNSSEC Validation Tools Matrix - https://www.dnssec-deployment.org/wiki/index.php?title=Validation_tools_matrix&oldid=98


Excellent link - thanx!Here is the link Louise Timmons  –  Mar 23, 2011 10:38 PM PDT

Excellent link - thanx!

Here is the link to the FAQ, to show what is involved to enable DNSSEC:


Mr. Ram Mohan, I have enjoyed your Louise Timmons  –  Mar 23, 2011 10:35 PM PDT

Mr. Ram Mohan, I have enjoyed your updates and appreciate SOMEONE is paying attention to DNSSEC. You said, "the resolver side gets more and more important as DNSSEC hits the mainstream."

Without the RESOLVER side, there is no DNSSEC.

What would it have cost ICANN to promote DNSSEC with ISPs, hosting companies, browser creators, and modem manufacturers? What would it have cost to launch a campaign to bring awareness? to bring everyone on board? to make the internet safer and more secure? All those contingents have to come on board to make DNSSEC mainstream. It would advance the cause of the internet.

But ICANN didn't launch a campaign, because DNSSEC spread nation-wide would adversely affect the pockets of ICANN "Insiders" who depend on the criminal element for part of their income: Verisign and the major Registrars.

The (sometimes unwelcome) fact is that ICANN Ram Mohan  –  Mar 24, 2011 8:06 AM PDT

The (sometimes unwelcome) fact is that ICANN has very little leeway or sway with ISPs, hosting companies, and in many other areas of the technology spectrum.  ICANN only has contracts with registries and registrars in the gTLD space, and in that limited space, it is advancing DNSSEC.  I have observed (and participated in) all-day workshops on DNSSEC that attracts a solid audience at the ICANN meetings for at least the past 2 years.

The interesting play here is how other parts of the technology and DNS industry integrate DNSSEC into their plans - this is a multi-year process, and it needs many segments to rise to the challenge.  Planning, execution and delivery are important - much of the technology work is complete.

Some other questions are whether a business case can be made for DNSSEC implementation, because selling security by itself is very difficult.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Startup League Reports from WebSummit, Lisbon

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

.SPACE Becomes the Choice of the First Ever Space Nation Asgardia

Government Guidance for Email Authentication Has Arrived in USA and UK

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Why .com is the Venture Capital Community's Power Player

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web