DNSSEC Deployment Reaching Critical Mass

By Ram Mohan
Ram Mohan

Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point. Thanks to the combined efforts of registries around the world, the new security protocol will soon be available to the majority of domain name registrants in almost a quarter of all TLDs.

As a reminder, DNSSEC — Domain Name System Security Extensions — is a trust upgrade to the decades-old DNS protocol. Using DNSSEC, resolvers are able to ensure that no one or nothing has tampered with DNS messages by validating their cryptographic signatures. The technology goes a long way in protecting Internet users from attacks, like cache poisoning, that have the potential to undermine the trust we all place in electronic commerce.

According to ICANN's latest statistics, more than 20% of the world's TLDs have now implemented DNSSEC in their zones: 69 are signed, and 62 have also published the signatures in the root zone, meaning they are fully DNSSEC-compatible. This rapid uptake has been driven by the concerted efforts of TLD registries. Since the landmark DNSSEC signing of .org in 2010, Afilias has been rolling out the technology to all of the gTLDs and ccTLDs for which we provide registry services as part of our "Project Safeguard." Registrants of .info domains can now use DNSSEC, and we have also announced the signing of the .in, .me, .gi, .mn and .sc zones, among others.

Other ccTLDs have also recently been signed, but two of the largest recent DNSSEC deployments have occurred in .net and .com, which together account for more than half of the world's existing domain name registrations. While the .net implementation is now complete, .com is currently serving DNSSEC information that deliberately cannot be validated. The .com domain will not be fully "switched on" until the end of the month. When this happens, of the seven "original" gTLDs, only .mil and .int will remain unsigned.

DNSSEC availability in .com will also prove to be a landmark in terms of raising awareness among domain name registrants. It's great that so many TLDs are being signed, but this is of little use to Web surfers until second-level registrants also begin to sign their zones. Registrars are already launching services to simplify what is a complex technology to deploy and manage, but these need to be used.

When major corporations that have their primary website at a .com domain begin to publicly deploy the technology, DNSSEC will likely begin to market itself in a viral manner. Much like a newly launched TLD needs well-known brands to adopt its domains, a few big "anchor tenants" will also prove priceless for spreading the word about DNSSEC. When major e-commerce, financial services and social networking sites start to openly embrace the specification, it should become a competitive imperative for others to do the same so that they avoid appearing less secure than their rivals. With a bit of luck, at this time next year, I will be writing about the encouraging level of DNSSEC adoption at the second level of the domain name system, rather than at the top level.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: Cybersecurity, DNS, DNS Security, ICANN, New TLDs


Truly a great start for DNSSEC, Ram. Howard Baldwin  –  Mar 23, 2011 7:52 AM PST

Truly a great start for DNSSEC, Ram. Thanks for the update. For more on the hows and whys of DNSSEC implementation, check out this white paper from Verisign: http://resources.cio.com/ccd/show/200001949/00116440024019CIO0ZL4SM68V3/

About me: http://bit.ly/fQZRHb

DNSSEC resources Ram Mohan  –  Mar 23, 2011 9:43 AM PST


Thank you for the kind words - DNSSEC is a major international undertaking, and it is neat to see it go mainstream after so many years of what felt like pushing on a string.

Several excellent resources exist for more information on DNSSEC:
DNSSEC Information & Tools - http://pir.org/dnssec
DNSSEC Resource Centerr - http://www.afilias.info/dnssec
DNSSEC Deployment Initiative - http://dnssec-deployment.org/
DNSSEC Tools Project - http://dnssec-tools.org/
NamesBeyond DNSSEC - DNSSEC Registrar, http://www.namesbeyond.com/dnssec
DNSSEC Industry Coalition - http://dnsseccoalition.org/website/

For the technically minded, the IETF has published several RFCs on DNSSEC:
RFC 4310: Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
RFC 4033: DNS Security Introduction and Requirements
RFC 4641: DNSSEC Operational Practices


Don't forget the resolver side Marco Davids  –  Mar 23, 2011 9:57 AM PST

Let's not forget the resolver side.

Are you ready to do DNSSEC validation?


Resolver tools Ram Mohan  –  Mar 23, 2011 12:36 PM PST

You're totally right - the resolver side gets more and more important as DNSSEC hits the mainstream.

Tools like the one above (SIDN) are very useful.

In addition, there are several validating resolvers:
DNS OARC - https://www.dns-oarc.net/oarc/services/odvr
DNSSEC Reply Size Test Tool - https://www.dns-oarc.net/oarc/services/replysizetest

A reasonably comprehensive look at tools is available here:
DNSSEC Validation Tools Matrix - https://www.dnssec-deployment.org/wiki/index.php?title=Validation_tools_matrix&oldid=98


Excellent link - thanx!Here is the link Louise Timmons  –  Mar 23, 2011 9:38 PM PST

Excellent link - thanx!

Here is the link to the FAQ, to show what is involved to enable DNSSEC:


Mr. Ram Mohan, I have enjoyed your Louise Timmons  –  Mar 23, 2011 9:35 PM PST

Mr. Ram Mohan, I have enjoyed your updates and appreciate SOMEONE is paying attention to DNSSEC. You said, "the resolver side gets more and more important as DNSSEC hits the mainstream."

Without the RESOLVER side, there is no DNSSEC.

What would it have cost ICANN to promote DNSSEC with ISPs, hosting companies, browser creators, and modem manufacturers? What would it have cost to launch a campaign to bring awareness? to bring everyone on board? to make the internet safer and more secure? All those contingents have to come on board to make DNSSEC mainstream. It would advance the cause of the internet.

But ICANN didn't launch a campaign, because DNSSEC spread nation-wide would adversely affect the pockets of ICANN "Insiders" who depend on the criminal element for part of their income: Verisign and the major Registrars.

The (sometimes unwelcome) fact is that ICANN Ram Mohan  –  Mar 24, 2011 7:06 AM PST

The (sometimes unwelcome) fact is that ICANN has very little leeway or sway with ISPs, hosting companies, and in many other areas of the technology spectrum.  ICANN only has contracts with registries and registrars in the gTLD space, and in that limited space, it is advancing DNSSEC.  I have observed (and participated in) all-day workshops on DNSSEC that attracts a solid audience at the ICANN meetings for at least the past 2 years.

The interesting play here is how other parts of the technology and DNS industry integrate DNSSEC into their plans - this is a multi-year process, and it needs many segments to rise to the challenge.  Planning, execution and delivery are important - much of the technology work is complete.

Some other questions are whether a business case can be made for DNSSEC implementation, because selling security by itself is very difficult.