Home / Blogs

First gTLD Signed: Dot Gov

Today is a historic day as the first generic Top-Level Domain (gTLD) has been signed. Only a few other top level domains, all of which are country code Top-Level Domains (ccTLDs), have been signed to date. This step is part of the first phase of adoption. Authoritative DNS servers need to sign and publish their zones. The second part is for the resolvers on the Internet to validate the keys. Both systems working together will provide security in the DNS.

We have a test bed setup that you can try at and as part of our commitment to seeing DNSSEC implemented.

To take a look, notice the “ad” specified in the flags section. It stands for authenticated data.

dig @recursive.dyn-dnssec.com gov. +dnssec

; <<>> DiG 9.3.4-P1.1 <<>> @recursive.dyn-dnssec.com gov. +dnssec<br /> ; (1 server found)<br /> ;; global options: printcmd<br /> ;; Got answer:<br /> ;; ->>HEADER<</p><p><- opcode: QUERY, status: NOERROR, id: 22568<br /> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1<br /></p> <p>;; OPT PSEUDOSECTION:<br /> ; EDNS: version: 0, flags: do; udp: 4096<br /> ;; QUESTION SECTION:<br /> ;dnsops.gov.      IN   A<br /><br /> ;; AUTHORITY SECTION:<br /> dnsops.gov.    3491 IN   SOA   snip1.dnsops.gov. admin.dnsops.gov. 20081121 43200 43200 1209600 3600<br /> dnsops.gov.    3491 IN   RRSIG SOA 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. Rx7i6V7Q0hEGxmkGtwfqXKROuL4cR/7QaPjrYUuOgqPREysRfS2Sbuw5 MIKDFUpviB0w3cLyeUiDsH9rCzL14atqpeU47LMhmeaUYv6Jyr8bk7YE HoVQYwnF5/LpOrBjbKDDeLPV4hOIc+miyz8aXpobWnYhXjs/cAZ7TV8W Gt0=<br /> dnsops.gov.    3491 IN   RRSIG NSEC 5 2 3600 20090225162416 20090126162416 30060 dnsops.gov. gv9ce1tAOEjFqoYRI0muEuMKcuwCaE3htGcKLDo4adMub+5Bgt7on6Fp JIdM5QD4p8j4cl++uZn+Q1ky5iOTQZY+Od2kplzoDZ2RiNgORpfJtUq9 F7dR3pf/1MYraAa5lpQ3lmhNDWtqUe7F1V2w+bnjxMdJ0t0wC7iMSVvE A24=<br /> dnsops.gov.    3491 IN   NSEC antd.dnsops.gov. NS SOA MX RRSIG NSEC DNSKEY

For those who want to add the key to their resolver, add the follow key (and dnssec-enable yes; dnssec-validation yes;)

trusted-keys {<br /> "gov." 257 3 7 "AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi++p5ABXSoxqJ65WQko6xrI9RIm<br /> K7IBT5roFhXjBDGJ8ld9CYIEN94kK83K/QwUGCJ+v3vIQFi09IqsPeRdHTQyghWWbhzAZpnlZ16imXB4<br /> yFZjdbV2iM66KcgsESQMPEcIayDQJh6JEi1wmslrYvRRJ6YPOWrlLD0RmdtCaRuzlUE0RiWSem/i8vDF<br /> dmsSwChRMcORklKqjqt1+RBIiEFJGKIz7lGc9DXRwkBfb+halii+jrELiZAPzfO7rf08l3QlgHEuxclT<br /> TdEaxctPd2O2U/Hl9tRgkxRL/Zv1i0sEx2mOJGcUCeVm4Hf2aM8=";<br /> };

The only concern right now is that the key is only published in the apex of their zone. Right now, there is no secured out of band channel to get it from (I pulled it from an email who got it in the zone data). This is a huge operational challenge as other TLDs become DNSSEC enabled.

By Jeremy Hitchcock, DNS and networking engineer, CEO at Dyn Inc

Filed Under


operational challenge partially solved Carl Byington  –  Feb 5, 2009 5:14 AM

The dns operational challenge of getting a LOT of dns servers to trust your key has been partially solved by the ISC dlv registry. You can just add

dnssec-lookaside . trust-anchor dlv.isc.org.;

to your named.conf configuration, together with the appropriate trusted-keys for their registry. That gives you one single trust anchor to maintain, and pushes the job of out-of-band secure verification onto ISC, so every individual DNS administrator does not need to do it.

Please get this .gov key added to the ISC dlv tree.

Still in test mode .... but coming along nicely Doug Montgomery  –  Feb 5, 2009 9:15 PM

Check below for status of DNSSEC at .gov

Still in test mode at the moment, but coming along nicely.  dnsops.gov. is the domain used for the SNIP (http://www.dnsops.gov) and is being used in testing the .gov. roll out.


check a web site and go to jail? Carl Byington  –  Feb 6, 2009 1:11 AM

Well, I might be curious about the status of DNSSEC in .gov, but not at the cost of going past the following text: 

Warning! Use of this site is restricted!

This computer system is for the use of the United States Government. Unauthorized access, or access which exceeds authorized access is punishable under 18 USC 1030.

Let us know how that works out for you.

The facts .... Doug Montgomery  –  Feb 6, 2009 2:24 AM

I noticed that too and am trying to get it fixed.  Status page got put behind the login interface for secure delegations (not really ... if you click past this it still shows the status).

Anyway, for those scared off by the warnings ... here is what is says:



The DotGov is in the process of testing DNSSEC technologies and deployment scenarios for the .gov TLD.

As part of this testing you may notice DNSSEC resource records appearing in the TLD periodically. For the time being, such records should be considered as experimental and these test DNSSEC services are subject to fluctuation and change without further warning. In particular, we recommend not using this experimental service as the basis for validation on production resolvers.

Once testing is completed we will make the official production DNSSEC service declaration announcement on this site. Testing is expected to continue through February.

If your agency wishes to participate in the DNSSEC testing please contact the DotGov help desk. Please address the subject line as DNSSEC TESTING and we will contact you with information.


What about .museum ? Patrick Vande Walle  –  Feb 6, 2009 10:28 AM

I do not wish to minimize the efforts of the US General Services Administration to deploy DNSSEC, but I would note that the first sponsored gTLD to be signed was actually .museum. See Musedoma’s request to ICANN, and its subsequent approval of a limited testing.

PIR has also taken steps in that direction, which were approved by the ICANN board, but no such request from .GOV has yet been submitted, to my knowledge.

Correct Eric Brunner-Williams  –  Feb 7, 2009 1:49 PM

Thank you Patrick. If we were second, or third, we'd still be quite pleased that .museum is signed, and Carl's comment upthread is spot on. See you in Mexico. For the general CircleID reader, I'm the CTO of CORE, which operates the .museum registry back-end, and which signed this zone. Next up for us is signing .cat.

I hope CircleID will fix the misleading title of this article Stephane Bortzmeyer  –  Feb 9, 2009 1:46 PM

But I'm not optimistic :-(

I'm hoping that PIR is going to Jeremy Hitchcock  –  Feb 7, 2009 10:00 PM

I’m hoping that PIR is going to be submitting pretty soon, sounds like they are getting close.  Eric, what’s the best way to receive museum’s key?  Looks like it’s in DLV but do you distribute it elsewhere?

TLD operators can and should submit keys to both IANA’s ITAR at https://itar.iana.org/ and ISC’s DLV Registry.

.MUSEUM not in DLV Stephane Bortzmeyer  –  Feb 9, 2009 1:45 PM

Sorry but, unlike you, I see no .MUSEUM in the ISC DLV registry.

Ah, the key is just in OARC's Jeremy Hitchcock  –  Feb 9, 2009 1:51 PM

Ah, the key is just in OARC’s open resolver and thought it was because they had uploaded the key.  I see the page https://www.dns-oarc.net/oarc/services/odvr now which lists that the key is not verified.  Sorry for the confusion.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign