Home / Blogs

DNSSEC Takes Off in Wake of Root Zone Signing

Daniel Karrenberg

The Domain Name System Security Extensions (DNSSEC) is a suite of IETF-developed specifications designed to validate information provided by the Domain Name System (DNS).

A number of early adopters deployed DNSSEC for the domain they are responsible for. Among these early adopters were the country code Top Level Domains (ccTLDs) .br, .bg, .cz, .pr, .se and the generic Top Level Domain (gTLD) .org. Besides TLD operators, organisations such as the RIPE NCC and the RIPE community as a whole were at the forefront of DNSSEC development. The RIPE NCC has signed its DNS zones since 2005. However, many TLD operators waited for the root zone to be signed before they started deploying DNSSEC.

When the root zone was signed in June 2010, this acted as a catalyst for TLD operators to deploy DNSSEC on their side. We have seen a gradual but significant increase in signed TLDs since then.

The map below shows the level of DNSSEC deployment in Europe. Those countries marked blue have deployed DNSSEC. Those marked yellow plan to deploy it in the near future. Those in white have no plans as yet to deploy DNSSEC.

Figure 1: DNSSEC in European ccTLDs (blue = deployed; yellow = planning to deploy; white = no plans to deploy)

At the core of DNSSEC is the "chain of trust" that follows the hierarchy by which a domain is delegated from the root zone to a TLD and then to the domain operator. For DNSSEC to be fully useful, this chain of trust needs to be complete. This means that for a domain owner, DNSSEC becomes truly useful once the TLD that domain is under is also signed.

The RIPE NCC is maintaining zones in domains under several infrastructure TLDs. The vast majority of the zones under these TLDs are by now supporting DNSSEC because the parent zones allow delegation signer (DS) records to be included, thereby completing the chain of trust. Recently, the RIPE NCC also enabled the IPv4 reverse zones in the in-addr.arpa parent zone. We expect that at the end of the year, only three of our parent zones will not be able to accept our delegation signer (DS) records: 196.in-addr.arpa, .int and .cc. That is considered a huge progress since the root zone has been signed.

Below you can see a graph showing DS records inside the reverse zones the RIPE NCC is maintaining. Over the last few years, we have observed a steady increase in the number of DS records. In total, there are currently 450 DS records in our zones.

Figure 2: Number of DS records in RIPE NCC-maintained reverse zones over time

Considering that the RIPE NCC maintains some 500,000 reverse delegations, this number is still very small. However, the recent increase is encouraging.

From our point of view, we are pleased with the progress that DNSSEC has made since the root zone was signed a year ago. Very few industry experts expected the signing of the root zone to have such a substantial impact on the signing of TLDs.

For more information, please refer to the article on RIPE Labs: DNSSEC Deployment Today

By Daniel Karrenberg, Chief Scientist at the RIPE NCC

Related topics: Cybersecurity, DNS, DNS Security, Registry Services, Top-Level Domains

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

Ireland has plans to deploy Billy Glynn  –  Aug 30, 2011 9:52 AM PDT

Hi Daniel,

Just to comment that Ireland (dot IE) does have plans to deploy. We have been been running a test-bed for since 2010. We had intentions to deploy in Q4 2011, however, our deployment date is more likely to be in Q1 2012 now.

It would be great if you could update Figure 1.

Best regards

Billy Glynn
IE Domain Registry Ltd (http://iedr.ie)

Re: Ireland has plans to deploy Mirjam Kuehne  –  Aug 31, 2011 2:04 AM PDT

Hi Billy,

Thanks for your comment and good to know that .ie is planning to deploy DNSSEC. We submitted an updated version of the image to CircleID. I expect this to be included later today. Please note that we also updated the more detailed article on RIPE Labs: http://labs.ripe.net/Members/wnagele/dnssec-deployment-today

Kind regards,
Mirjam Kuehne
RIPE NCC

Updated Ali Farshchian  –  Aug 31, 2011 8:30 AM PDT

The CircleID image also updated accordingly.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Startup League Reports from WebSummit, Lisbon

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

.SPACE Becomes the Choice of the First Ever Space Nation Asgardia

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry