Home / Blogs

DNSSEC Takes Off in Wake of Root Zone Signing

The Domain Name System Security Extensions (DNSSEC) is a suite of IETF-developed specifications designed to validate information provided by the Domain Name System (DNS).

A number of early adopters deployed DNSSEC for the domain they are responsible for. Among these early adopters were the country code Top Level Domains (ccTLDs) .br, .bg, .cz, .pr, .se and the generic Top Level Domain (gTLD) .org. Besides TLD operators, organisations such as the RIPE NCC and the RIPE community as a whole were at the forefront of DNSSEC development. The RIPE NCC has signed its DNS zones since 2005. However, many TLD operators waited for the root zone to be signed before they started deploying DNSSEC.

When the root zone was signed in June 2010, this acted as a catalyst for TLD operators to deploy DNSSEC on their side. We have seen a gradual but significant increase in signed TLDs since then.

The map below shows the level of DNSSEC deployment in Europe. Those countries marked blue have deployed DNSSEC. Those marked yellow plan to deploy it in the near future. Those in white have no plans as yet to deploy DNSSEC.

Figure 1: DNSSEC in European ccTLDs (blue = deployed; yellow = planning to deploy; white = no plans to deploy)

At the core of DNSSEC is the “chain of trust” that follows the hierarchy by which a domain is delegated from the root zone to a TLD and then to the domain operator. For DNSSEC to be fully useful, this chain of trust needs to be complete. This means that for a domain owner, DNSSEC becomes truly useful once the TLD that domain is under is also signed.

The RIPE NCC is maintaining zones in domains under several infrastructure TLDs. The vast majority of the zones under these TLDs are by now supporting DNSSEC because the parent zones allow delegation signer (DS) records to be included, thereby completing the chain of trust. Recently, the RIPE NCC also enabled the IPv4 reverse zones in the in-addr.arpa parent zone. We expect that at the end of the year, only three of our parent zones will not be able to accept our delegation signer (DS) records: 196.in-addr.arpa, .int and .cc. That is considered a huge progress since the root zone has been signed.

Below you can see a graph showing DS records inside the reverse zones the RIPE NCC is maintaining. Over the last few years, we have observed a steady increase in the number of DS records. In total, there are currently 450 DS records in our zones.

Figure 2: Number of DS records in RIPE NCC-maintained reverse zones over time

Considering that the RIPE NCC maintains some 500,000 reverse delegations, this number is still very small. However, the recent increase is encouraging.

From our point of view, we are pleased with the progress that DNSSEC has made since the root zone was signed a year ago. Very few industry experts expected the signing of the root zone to have such a substantial impact on the signing of TLDs.

For more information, please refer to the article on RIPE Labs: DNSSEC Deployment Today

By Daniel Karrenberg, Chief Scientist at the RIPE NCC

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Ireland has plans to deploy Billy Glynn  –  Aug 30, 2011 4:52 PM

Hi Daniel,

Just to comment that Ireland (dot IE) does have plans to deploy. We have been been running a test-bed for since 2010. We had intentions to deploy in Q4 2011, however, our deployment date is more likely to be in Q1 2012 now.

It would be great if you could update Figure 1.

Best regards

Billy Glynn
IE Domain Registry Ltd (http://iedr.ie)

Re: Ireland has plans to deploy Mirjam Kuehne  –  Aug 31, 2011 9:04 AM

Hi Billy, Thanks for your comment and good to know that .ie is planning to deploy DNSSEC. We submitted an updated version of the image to CircleID. I expect this to be included later today. Please note that we also updated the more detailed article on RIPE Labs: http://labs.ripe.net/Members/wnagele/dnssec-deployment-today Kind regards, Mirjam Kuehne RIPE NCC

Updated Ali Farshchian  –  Aug 31, 2011 3:30 PM

The CircleID image also updated accordingly.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Domain Management

Sponsored byMarkMonitor

IPv4 Markets

Sponsored byIPXO

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign