Home / Blogs

DNSSEC Takes Off in Wake of Root Zone Signing

Daniel Karrenberg

The Domain Name System Security Extensions (DNSSEC) is a suite of IETF-developed specifications designed to validate information provided by the Domain Name System (DNS).

A number of early adopters deployed DNSSEC for the domain they are responsible for. Among these early adopters were the country code Top Level Domains (ccTLDs) .br, .bg, .cz, .pr, .se and the generic Top Level Domain (gTLD) .org. Besides TLD operators, organisations such as the RIPE NCC and the RIPE community as a whole were at the forefront of DNSSEC development. The RIPE NCC has signed its DNS zones since 2005. However, many TLD operators waited for the root zone to be signed before they started deploying DNSSEC.

When the root zone was signed in June 2010, this acted as a catalyst for TLD operators to deploy DNSSEC on their side. We have seen a gradual but significant increase in signed TLDs since then.

The map below shows the level of DNSSEC deployment in Europe. Those countries marked blue have deployed DNSSEC. Those marked yellow plan to deploy it in the near future. Those in white have no plans as yet to deploy DNSSEC.

Figure 1: DNSSEC in European ccTLDs (blue = deployed; yellow = planning to deploy; white = no plans to deploy)

At the core of DNSSEC is the "chain of trust" that follows the hierarchy by which a domain is delegated from the root zone to a TLD and then to the domain operator. For DNSSEC to be fully useful, this chain of trust needs to be complete. This means that for a domain owner, DNSSEC becomes truly useful once the TLD that domain is under is also signed.

The RIPE NCC is maintaining zones in domains under several infrastructure TLDs. The vast majority of the zones under these TLDs are by now supporting DNSSEC because the parent zones allow delegation signer (DS) records to be included, thereby completing the chain of trust. Recently, the RIPE NCC also enabled the IPv4 reverse zones in the in-addr.arpa parent zone. We expect that at the end of the year, only three of our parent zones will not be able to accept our delegation signer (DS) records: 196.in-addr.arpa, .int and .cc. That is considered a huge progress since the root zone has been signed.

Below you can see a graph showing DS records inside the reverse zones the RIPE NCC is maintaining. Over the last few years, we have observed a steady increase in the number of DS records. In total, there are currently 450 DS records in our zones.

Figure 2: Number of DS records in RIPE NCC-maintained reverse zones over time

Considering that the RIPE NCC maintains some 500,000 reverse delegations, this number is still very small. However, the recent increase is encouraging.

From our point of view, we are pleased with the progress that DNSSEC has made since the root zone was signed a year ago. Very few industry experts expected the signing of the root zone to have such a substantial impact on the signing of TLDs.

For more information, please refer to the article on RIPE Labs: DNSSEC Deployment Today

By Daniel Karrenberg, Chief Scientist at the RIPE NCC

Related topics: DNS, DNS Security, Registry Services, Security, Top-Level Domains

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Ireland has plans to deploy Billy Glynn  –  Aug 30, 2011 9:52 AM PDT

Hi Daniel,

Just to comment that Ireland (dot IE) does have plans to deploy. We have been been running a test-bed for since 2010. We had intentions to deploy in Q4 2011, however, our deployment date is more likely to be in Q1 2012 now.

It would be great if you could update Figure 1.

Best regards

Billy Glynn
IE Domain Registry Ltd (http://iedr.ie)

Re: Ireland has plans to deploy Mirjam Kuehne  –  Aug 31, 2011 2:04 AM PDT

Hi Billy,

Thanks for your comment and good to know that .ie is planning to deploy DNSSEC. We submitted an updated version of the image to CircleID. I expect this to be included later today. Please note that we also updated the more detailed article on RIPE Labs: http://labs.ripe.net/Members/wnagele/dnssec-deployment-today

Kind regards,
Mirjam Kuehne
RIPE NCC

Updated Ali Farshchian  –  Aug 31, 2011 8:30 AM PDT

The CircleID image also updated accordingly.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Promoted Post

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Startup League Reports from WebSummit, Lisbon

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

.SPACE Becomes the Choice of the First Ever Space Nation Asgardia

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Why .com is the Venture Capital Community's Power Player

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

The .cancerresearch TLD: Search for Cure Drives Digital Innovation

New TLD? Make Sure It's Secure

Radix Launches Startup League at TechCrunch

Celebrating One Year of .online

Sponsored Topics