Home / Blogs

DNSSEC Deployment Reaching Critical Mass

Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet’s top-level domains is approaching the tipping point. Thanks to the combined efforts of registries around the world, the new security protocol will soon be available to the majority of domain name registrants in almost a quarter of all TLDs.

As a reminder, DNSSEC—Domain Name System Security Extensions—is a trust upgrade to the decades-old DNS protocol. Using DNSSEC, resolvers are able to ensure that no one or nothing has tampered with DNS messages by validating their cryptographic signatures. The technology goes a long way in protecting Internet users from attacks, like cache poisoning, that have the potential to undermine the trust we all place in electronic commerce.

According to ICANN’s latest statistics, more than 20% of the world’s TLDs have now implemented DNSSEC in their zones: 69 are signed, and 62 have also published the signatures in the root zone, meaning they are fully DNSSEC-compatible. This rapid uptake has been driven by the concerted efforts of TLD registries. Since the landmark DNSSEC signing of .org in 2010, Afilias has been rolling out the technology to all of the gTLDs and ccTLDs for which we provide registry services as part of our “Project Safeguard.” Registrants of .info domains can now use DNSSEC, and we have also announced the signing of the .in, .me, .gi, .mn and .sc zones, among others.

Other ccTLDs have also recently been signed, but two of the largest recent DNSSEC deployments have occurred in .net and .com, which together account for more than half of the world’s existing domain name registrations. While the .net implementation is now complete, .com is currently serving DNSSEC information that deliberately cannot be validated. The .com domain will not be fully “switched on” until the end of the month. When this happens, of the seven “original” gTLDs, only .mil and .int will remain unsigned.

DNSSEC availability in .com will also prove to be a landmark in terms of raising awareness among domain name registrants. It’s great that so many TLDs are being signed, but this is of little use to Web surfers until second-level registrants also begin to sign their zones. Registrars are already launching services to simplify what is a complex technology to deploy and manage, but these need to be used.

When major corporations that have their primary website at a .com domain begin to publicly deploy the technology, DNSSEC will likely begin to market itself in a viral manner. Much like a newly launched TLD needs well-known brands to adopt its domains, a few big “anchor tenants” will also prove priceless for spreading the word about DNSSEC. When major e-commerce, financial services and social networking sites start to openly embrace the specification, it should become a competitive imperative for others to do the same so that they avoid appearing less secure than their rivals. With a bit of luck, at this time next year, I will be writing about the encouraging level of DNSSEC adoption at the second level of the domain name system, rather than at the top level.

By Ram Mohan, Chief Operating Officer at Afilias

Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Visit Page

Filed Under


Truly a great start for DNSSEC, Ram. Howard Baldwin  –  Mar 23, 2011 3:52 PM

Truly a great start for DNSSEC, Ram. Thanks for the update. For more on the hows and whys of DNSSEC implementation, check out this white paper from Verisign: http://resources.cio.com/ccd/show/200001949/00116440024019CIO0ZL4SM68V3/

About me: http://bit.ly/fQZRHb

DNSSEC resources Ram Mohan  –  Mar 23, 2011 5:43 PM


Thank you for the kind words - DNSSEC is a major international undertaking, and it is neat to see it go mainstream after so many years of what felt like pushing on a string.

Several excellent resources exist for more information on DNSSEC:
DNSSEC Information & Tools - http://pir.org/dnssec
DNSSEC Resource Centerr - http://www.afilias.info/dnssec
DNSSEC Deployment Initiative - http://dnssec-deployment.org/
DNSSEC Tools Project - http://dnssec-tools.org/
NamesBeyond DNSSEC - DNSSEC Registrar, http://www.namesbeyond.com/dnssec
DNSSEC Industry Coalition - http://dnsseccoalition.org/website/

For the technically minded, the IETF has published several RFCs on DNSSEC:
RFC 4310: Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
RFC 4033: DNS Security Introduction and Requirements
RFC 4641: DNSSEC Operational Practices


Don't forget the resolver side Marco Davids  –  Mar 23, 2011 5:57 PM

Let’s not forget the resolver side.

Are you ready to do DNSSEC validation?


Resolver tools Ram Mohan  –  Mar 23, 2011 8:36 PM

Marco, You're totally right - the resolver side gets more and more important as DNSSEC hits the mainstream. Tools like the one above (SIDN) are very useful. In addition, there are several validating resolvers: DNS OARC - https://www.dns-oarc.net/oarc/services/odvr DNSSEC Reply Size Test Tool - https://www.dns-oarc.net/oarc/services/replysizetest A reasonably comprehensive look at tools is available here: DNSSEC Validation Tools Matrix - https://www.dnssec-deployment.org/wiki/index.php?title=Validation_tools_matrix&oldid=98 -Ram

Excellent link - thanx!Here is the link Louise Timmons  –  Mar 24, 2011 5:38 AM

Excellent link - thanx! Here is the link to the FAQ, to show what is involved to enable DNSSEC: http://dnssectest.sidn.nl/faq.php

Mr. Ram Mohan, I have enjoyed your Louise Timmons  –  Mar 24, 2011 5:35 AM

Mr. Ram Mohan, I have enjoyed your updates and appreciate SOMEONE is paying attention to DNSSEC. You said, “the resolver side gets more and more important as DNSSEC hits the mainstream.”

Without the RESOLVER side, there is no DNSSEC.

What would it have cost ICANN to promote DNSSEC with ISPs, hosting companies, browser creators, and modem manufacturers? What would it have cost to launch a campaign to bring awareness? to bring everyone on board? to make the internet safer and more secure? All those contingents have to come on board to make DNSSEC mainstream. It would advance the cause of the internet.

But ICANN didn’t launch a campaign, because DNSSEC spread nation-wide would adversely affect the pockets of ICANN “Insiders” who depend on the criminal element for part of their income: Verisign and the major Registrars.

The (sometimes unwelcome) fact is that ICANN Ram Mohan  –  Mar 24, 2011 3:06 PM

The (sometimes unwelcome) fact is that ICANN has very little leeway or sway with ISPs, hosting companies, and in many other areas of the technology spectrum. ICANN only has contracts with registries and registrars in the gTLD space, and in that limited space, it is advancing DNSSEC. I have observed (and participated in) all-day workshops on DNSSEC that attracts a solid audience at the ICANN meetings for at least the past 2 years. The interesting play here is how other parts of the technology and DNS industry integrate DNSSEC into their plans - this is a multi-year process, and it needs many segments to rise to the challenge. Planning, execution and delivery are important - much of the technology work is complete. Some other questions are whether a business case can be made for DNSSEC implementation, because selling security by itself is very difficult. -Ram

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix