Home / Blogs

DNSSEC Adoption Part 1: A Status Report

Dr. James Galvin

Where is the domain industry with the adoption of DNSSEC? After a burst of well publicized activity from 2009-2011 — .org, .com, .net, and .gov adopting DNSSEC, roots signed, other Top-Level Domains (TLDs) signed — the pace of adoption appears to have slowed in recent years.

As many CircleID readers know, DNSSEC requires multiple steps in the chain of trust to be in place to improve online security. Those are:

  1. The TLD Must Be Signed – Major TLDs such as .org, .info, .com, and .net have been signed, as have a good number of ccTLDs. All new gTLDs must sign the TLD zone and must accept public key material from registrars, but they are not required to enforce signed second level delegations.
  2. The Registrar Must Support DNSSEC – The registrar where the domain is registered must support DNSSEC. ICANN requires that a registrar must be able to add, remove, or change public key material (DNSKEY or DS resource records) on behalf of registrants for those registries that require it (see point 1).
  3. The DNS Hosting Provider Must Support DNSSEC – Very often a registrar may also provide DNS Hosting services — where they will host the domain name's DNS records, allow management of those records, and publish them to the global DNS. Regardless of whether DNS hosting is provided by the registrar or by another company DNSSEC support is required.

Of course, for DNSSEC to be useful, both the server side and validation on the client side must support signed domains. Client-side validation is moving in a positive direction. In late 2013, APNIC Labs produced research that demonstrated that roughly 8 percent of global DNS queries involved some kind of DNSSEC validation. Last month APNIC unveiled a global validation graph that showed DNSSEC validations increasing to 12 percent.

In the United States Comcast (the country's largest ISP) has adopted client-side validation. Some countries like Sweden and Estonia see a majority of queries using DNSSEC validation. DNSSEC technology standards have been stable and mature since 2007, with only updates, clarifications, and new functionality added since then. "Waiting until the standards are final" is no longer a valid reason to delay deployment.

Authoritative DNS is very mature, and it's easy to get access to DNSSEC information once it is deployed. DNSSEC has been included in every major name server implementation for a few years now. Second level domains can now be signed, but adoption at that level has been frustratingly slow, due to the lack of service provider support (see point 2 above).

The final step in the deployment of DNSSEC is the use of validated information by services and applications to provide enhanced and innovative security services to users, with browsers obviously being first in line. Businesses need to see better online security as a market advantage — especially financial services firms.

More signed domains are needed to demonstrate full viability, and that's currently a huge gap in the DNSSEC chain of trust. New TLDs will help to some degree, but more needs to be done. There are two obstacles standing in the way of more secure domains, one related to policy and one technical.

On the policy side, the new ICANN policy for gTLDs mandates signed TLD zones, but not signed second level delegation. In addition, the 2013 Registrar Accreditation Agreement (RAA) requires registrars to offer "DNSSEC services," but only for those registries that require it.

On the technical side, it is not possible for a gTLD domain name registration with active DNSSEC to be transferred from one registrar to another without breaking the security chain of trust.

Part Two of this series will address impediments to greater DNSSEC adoption.

By Dr. James Galvin, Director, Technical Standards at Afilias. Dr. Galvin is a key leader of the Afilias technical team with over 25 years of Internet standards and policies development experience.

Related topics: Cybersecurity, DNS Security, Domain Names, Top-Level Domains


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


impediments to adoption Carl Byington  –  Sep 08, 2014 9:13 PM PDT

for i in {google,facebook,youtube,yahoo,baidu,twitter,amazon,qq,linkedin}.com wikipedia.org ; do echo $i; dig $i ds +short; done

When *none* of the top 10 (according to Alexa) have bothered to sign their domains, my clients ask "why should I bother?".

Is there *any* major US bank that signs their primary domain?

Yes, Comcast and Google and many others have validating resolvers, but if no one of consequence signs their domains, it won't matter in the long run.

Nope, bank adoption is quite pathetic John Hascall  –  Jan 07, 2015 1:17 PM PDT

I don't know about "any" major US Bank, but I checked the top 20 from http://www.ffiec.gov/nicpubweb/nicweb/top50form.aspx and didn't find any.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


DNS Security

Sponsored by Afilias
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Startup League Reports from WebSummit, Lisbon

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate