DNSSEC

DNSSEC can strengthen trust in the internet by helping to protect users from redirection to fraudulent websites and unintended addresses.

Verisign has been involved in the development of Domain Name System Security Extensions (DNSSEC) since 2000, and our engineers played a leading role in the development of the DNSSEC Hashed Authenticated Denial of Existence (NSEC3) protocol. As DNSSEC implementation and adoption expand, we continue to collaborate with the internet technical community and participate in industry organizations.

In cooperation with the Internet Assigned Numbers Authority (IANA) and the U.S. Department of Commerce, Verisign completed the deployment of DNSSEC in the root zone—the starting point of the Domain Name System (DNS) hierarchy—in 2010. That same year, we enabled DNSSEC in the .edu zone, in collaboration with EDUCAUSE and the National Telecommunications and Information Administration (NTIA). Shortly afterward, we deployed DNSSEC in the .net and .com zones. Since then, nearly all top-level domains (TLDs) have adopted DNSSEC, with signed delegations published in the root zone.

Professionals working on technological research and development projects on desktop computers at a shared table in an office.

Helping Members of the Internet Ecosystem

We have also helped members of the internet ecosystem take advantage of DNSSEC by publishing technical resources, providing an Operational Test Environment, leading educational sessions, and participating in industry forums.

A professional woman uses a tablet computer in a darkened system control monitoring center with multiple lighted displays.

Trusted Steward of the Internet

Verisign is committed to serving as a trusted steward of the internet. As the registry for .com and .net and a provider of critical internet infrastructure services, our goal is to help protect the internet community from new and emerging cyberattacks as the internet continues to grow.

Our work on DNSSEC is another step in our ongoing fortification of and investment in critical internet infrastructure.

DNSSEC Timeline

1990 A major flaw in the DNS is discovered, prompting discussions about securing the DNS.
1995 DNSSEC becomes a formal topic within the Internet Engineering Task Force (IETF).
1999 The DNSSEC protocol (RFC2535) is completed and BIND9 is developed as the first DNSSEC capable implementation.
2001 Key handling creates operational problems that make DNSSEC deployment impossible for large networks. The IETF decides to rewrite the protocol.
2005 DNSSEC standards are rewritten in several RFCs - 4033, 4034, and 4035. In October, Sweden (.se) enables DNSSEC in its zone.
2007 In July, ccTLD .pr (Puerto Rico) enables DNSSEC, followed by .br (Brazil) in September, and .bg (Bulgaria) in October.
2008 The NSEC3 standard (RFC 5155) is published. In September, ccTLD .cz (Czech Republic) enables DNSSEC.
2009 Verisign and EDUCAUSE host a DNSSEC test bed for select .edu registrants.

Root zone signed for internal use by Verisign and the Internet Corporation for Assigned Names and Numbers (ICANN).

ICANN and Verisign exercise signing the Zone Signing Key (ZSK) with the Key Signing Key (KSK).
2010 Root operators begin to serve the signed root zone, following a community evaluation and testing period.

ICANN holds first KSK ceremony event.

ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys.

Verisign and EDUCAUSE enable DNSSEC for the .edu domain.

Verisign enables DNSSEC for the .net domain.
2011 In March, Verisign enables DNSSEC for the .com domain. By the end of the year, 59 TLDs are signed with signed delegations in the root zone.
2012 In January, Comcast announces that its customers are using DNSSEC-validating resolvers. As of March, the number of TLDs signed grew to 90.
2013 In March, Google announced that its Public DNS service implemented DNSSEC validation.
2016 In October, Verisign strengthened DNSSEC for the root zone by increasing the ZSK size to 2048 bits.
2018 In October, Verisign, IANA, and ICANN performed the first root zone KSK rollover.
2019 By end of year, 1,390 TLDs are signed, with secure delegations in the root zone.
2023 Verisign upgrades the algorithm used for signing domain names in the .com, .net, and .edu zones, transitioning from algorithm 8 (RSA) to algorithm 13 (ECDSA), allowing for smaller signatures and improved cryptographic strength.

DNSSEC Frequently Asked Questions