Skip to main content

2015 Will be a Good Year for DNSSEC

Thanks to a major web hosting provider's broad adoption of DNSSEC, 2015 may be the year when we reach the "knee" in DNSSEC benefits curve. DNSSEC adds cryptographic records (also called digital signatures) alongside existing DNS records to ensure that end users can detect any changes during the domain name resolution process. The cryptographic protection is called "signing".

The root of the DNS was signed in 2010 [1]. Following recent, brisk DNSSEC deployment, over 78% of TLDs are now signed[2], and increasing numbers of end users are validating [3] DNS lookups: current measurements show validation at 12% worldwide, 25% US, and 62% Sweden [4]. The last measurement is important and promising: when end users "validate" that DNS records are signed, they are effectively protecting themselves from unauthorized modifications and attacks such as cache poisoning [5].

The Internet’s infrastructure is well on its way to fully supporting DNSSEC. However, for DNSSEC to be effective domain names must be signed as well. This has been a difficult goal to achieve with only approximately 2-3% of names signed. This slow adoption pace may soon change. Web content and DNS hosting provider CloudFlare [6] has announced that it is going to deploy DNSSEC across its platform. The anticipated visible increase in DNSSEC signed web sites following Cloudflare's deployment should cause a jump in the number of end users, content providers, and innovators[7] benefiting from DNSSEC. More users will benefit from validation and competition may drive more major providers to DNSSEC as well.

How do we keep the momentum going?

The benefits of DNSSEC will only be fully realized after there is widespread deployment. It is therefore important for us to continue DNSSEC awareness raising efforts as one step in securing the Internet. I am proud to say as part of the Internet Community, we have been instrumental in doing this thus far. Let's keep the pressure on.

Dr. Richard Lamb
Sr. Program Manager, DNSSEC

[1] Signing the root is a joint effort with the Community and our root zone management partners.
[2] DNSSEC TLD stats.
[3] If a domain name is signed, responses from DNS lookup requests are validated (checked for unexpected modifications which might indicate an attack) by your ISP’s, enterprise, or personal DNS resolver. Therefore the continued rise in the number of users relying on a DNSSEC enabled resolver is critical.
[4] DNSSEC validating resolver stats.
[5] Cache poisoning
[7] With DNSSEC, the DNS becomes a global secure database for the distribution of more than standard DNS records. This has energized those looking to improve the security of the Internet and the Internet of Things. E.g., DANE


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."