How Widespread is DNSSEC?

In the summer of 2008, the Internet was rocked by the
that the Domain Name System (DNS), one of the core infrastructures of the
Internet, was vulnerable to attack.

The ultimate solution to the DNS vulnerability is a technology that has been available since at least
2004, called DNSSEC (DNS Security

How many domains are actually DNSSEC-secured today? That’s a difficult question to
answer, but one that set out to discover. With tens of millions
of domains potentially at risk, only a small percentage to date are actually

At the top level of the Internet, among what are commonly referred to as the gTLD
(generic top level domains) of .com, .net and .org, only the .org gTLD has been signed
for DNSSEC security.

VeriSign controls .com and .net while the Public Interest Registry (PIR) controls
.org. VeriSign did not respond to‘s query about the current
status of DNSSEC deployment at press time.

On the other hand, the .org domain space was officially signed for
DNSSEC in June of this year. However, having the .org gTLD is just the first step. Since
June, individual domains have migrated to the platform for a beta test. While there are
millions of .org domains, to date only a small number have been signed.

“PIR has signed approximately 25 .org domains with DNSSEC as part of its beta test
phase,” Lauren Price, senior product marketing manager at PIR told “We are manually inserting the DS records into the zone. In
addition, we have the contact data for all of the domain owners in our beta test phase.
PIR will work closely with each domain holder through every phase of the testing to
mitigate risks and capture lessons learned.”

Price added that with the phased beta period, the plan is not to sign a large number
of domains. The focus is instead on having a reasonably sized set of test domains to
provide a quality testing experience.

Network infrastructure vendor Afilias provides the back-end for .org and also has a
number of other TLD initiatives underway for DNSSEC.

“We have a DNSSEC test bed running now for the .IN registry (India),” Howard Eland,
senior director of resolution services at Afilias, told “We also
provide secondary DNS for Sweden (.SE), which is a signed zone, as well as secondary DNS
for ISC’s DLV effort.”

Eland declined to provide specific numbers for the .IN and the .SE registries, in
terms of how many domains are currently secured today. DLV, the DNSSEC Look-aside
Validation technology is
another story

Read the rest at

Latest Articles

Follow Us On Social Media

Explore More