Home / Blogs

DNSSEC Takes Off in Wake of Root Zone Signing

Protect your privacy:  Get NordVPN  [73% off 2-year plans, 3 extra months]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

The Domain Name System Security Extensions (DNSSEC) is a suite of IETF-developed specifications designed to validate information provided by the Domain Name System (DNS).

A number of early adopters deployed DNSSEC for the domain they are responsible for. Among these early adopters were the country code Top Level Domains (ccTLDs) .br, .bg, .cz, .pr, .se and the generic Top Level Domain (gTLD) .org. Besides TLD operators, organisations such as the RIPE NCC and the RIPE community as a whole were at the forefront of DNSSEC development. The RIPE NCC has signed its DNS zones since 2005. However, many TLD operators waited for the root zone to be signed before they started deploying DNSSEC.

When the root zone was signed in June 2010, this acted as a catalyst for TLD operators to deploy DNSSEC on their side. We have seen a gradual but significant increase in signed TLDs since then.

The map below shows the level of DNSSEC deployment in Europe. Those countries marked blue have deployed DNSSEC. Those marked yellow plan to deploy it in the near future. Those in white have no plans as yet to deploy DNSSEC.

Figure 1: DNSSEC in European ccTLDs (blue = deployed; yellow = planning to deploy; white = no plans to deploy)

At the core of DNSSEC is the “chain of trust” that follows the hierarchy by which a domain is delegated from the root zone to a TLD and then to the domain operator. For DNSSEC to be fully useful, this chain of trust needs to be complete. This means that for a domain owner, DNSSEC becomes truly useful once the TLD that domain is under is also signed.

The RIPE NCC is maintaining zones in domains under several infrastructure TLDs. The vast majority of the zones under these TLDs are by now supporting DNSSEC because the parent zones allow delegation signer (DS) records to be included, thereby completing the chain of trust. Recently, the RIPE NCC also enabled the IPv4 reverse zones in the in-addr.arpa parent zone. We expect that at the end of the year, only three of our parent zones will not be able to accept our delegation signer (DS) records: 196.in-addr.arpa, .int and .cc. That is considered a huge progress since the root zone has been signed.

Below you can see a graph showing DS records inside the reverse zones the RIPE NCC is maintaining. Over the last few years, we have observed a steady increase in the number of DS records. In total, there are currently 450 DS records in our zones.

Figure 2: Number of DS records in RIPE NCC-maintained reverse zones over time

Considering that the RIPE NCC maintains some 500,000 reverse delegations, this number is still very small. However, the recent increase is encouraging.

From our point of view, we are pleased with the progress that DNSSEC has made since the root zone was signed a year ago. Very few industry experts expected the signing of the root zone to have such a substantial impact on the signing of TLDs.

For more information, please refer to the article on RIPE Labs: DNSSEC Deployment Today

By Daniel Karrenberg, Chief Scientist at the RIPE NCC

Filed Under

Comments

Ireland has plans to deploy Billy Glynn  –  Aug 30, 2011 4:52 PM

Hi Daniel,

Just to comment that Ireland (dot IE) does have plans to deploy. We have been been running a test-bed for since 2010. We had intentions to deploy in Q4 2011, however, our deployment date is more likely to be in Q1 2012 now.

It would be great if you could update Figure 1.

Best regards

Billy Glynn
IE Domain Registry Ltd (http://iedr.ie)

Re: Ireland has plans to deploy Mirjam Kuehne  –  Aug 31, 2011 9:04 AM

Hi Billy, Thanks for your comment and good to know that .ie is planning to deploy DNSSEC. We submitted an updated version of the image to CircleID. I expect this to be included later today. Please note that we also updated the more detailed article on RIPE Labs: http://labs.ripe.net/Members/wnagele/dnssec-deployment-today Kind regards, Mirjam Kuehne RIPE NCC

Updated Ali Farshchian  –  Aug 31, 2011 3:30 PM

The CircleID image also updated accordingly.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign