DNSSEC
Authenticating the internet from end-to-end.
DNSSEC can strengthen trust in the internet by helping to protect users from redirection to fraudulent websites and unintended addresses.
Verisign has been involved in the development of Domain Name System Security Extensions (DNSSEC) since 2000, and our engineers played a leading role in the development of the DNSSEC Hashed Authenticated Denial of Existence (NSEC3) protocol. As DNSSEC implementation and adoption expand, we continue to collaborate with the internet technical community and participate in industry organizations.
In cooperation with the Internet Assigned Numbers Authority (IANA) and the U.S. Department of Commerce, Verisign completed the deployment of DNSSEC in the root zone—the starting point of the Domain Name System (DNS) hierarchy—in 2010. That same year, we enabled DNSSEC in the .edu zone, in collaboration with EDUCAUSE and the National Telecommunications and Information Administration (NTIA). Shortly afterward, we deployed DNSSEC in the .net and .com zones. Since then, nearly all top-level domains (TLDs) have adopted DNSSEC, with signed delegations published in the root zone.
Helping Members of the Internet Ecosystem
We have also helped members of the internet ecosystem take advantage of DNSSEC by publishing technical resources, providing an Operational Test Environment, leading educational sessions, and participating in industry forums.
Trusted Steward of the Internet
Verisign is committed to serving as a trusted steward of the internet. As the registry for
.com and .net and a provider of
critical internet infrastructure services, our goal is to help protect the internet community from new and emerging cyberattacks as
the internet continues to grow.
Our work on DNSSEC is another step in our ongoing fortification of and investment in critical internet infrastructure.
DNSSEC Timeline
| 1990 | A major flaw in the DNS is discovered, prompting discussions about securing the DNS. |
| 1995 | DNSSEC becomes a formal topic within the Internet Engineering Task Force (IETF). |
| 1999 | The DNSSEC protocol (RFC2535) is completed and BIND9 is developed as the first DNSSEC capable implementation. |
| 2001 | Key handling creates operational problems that make DNSSEC deployment impossible for large networks. The IETF decides to rewrite the protocol. |
| 2005 | DNSSEC standards are rewritten in several RFCs - 4033, 4034, and 4035. In October, Sweden (.se) enables DNSSEC in its zone. |
| 2007 | In July, ccTLD .pr (Puerto Rico) enables DNSSEC, followed by .br (Brazil) in September, and .bg (Bulgaria) in October. |
| 2008 | The NSEC3 standard (RFC 5155) is published. In September, ccTLD .cz (Czech Republic) enables DNSSEC. |
| 2009 |
Verisign and EDUCAUSE host a DNSSEC test bed for select .edu registrants. Root zone signed for internal use by Verisign and the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN and Verisign exercise signing the Zone Signing Key (ZSK) with the Key Signing Key (KSK). |
| 2010 |
Root operators begin to serve the signed root zone, following a community evaluation and testing period. ICANN holds first KSK ceremony event. ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys. Verisign and EDUCAUSE enable DNSSEC for the .edu domain. Verisign enables DNSSEC for the .net domain. |
| 2011 | In March, Verisign enables DNSSEC for the .com domain. By the end of the year, 59 TLDs are signed with signed delegations in the root zone. |
| 2012 | In January, Comcast announces that its customers are using DNSSEC-validating resolvers. As of March, the number of TLDs signed grew to 90. |
| 2013 | In March, Google announced that its Public DNS service implemented DNSSEC validation. |
| 2016 | In October, Verisign strengthened DNSSEC for the root zone by increasing the ZSK size to 2048 bits. |
| 2018 | In October, Verisign, IANA, and ICANN performed the first root zone KSK rollover. |
| 2019 | By end of year, 1,390 TLDs are signed, with secure delegations in the root zone. |
| 2023 | Verisign upgrades the algorithm used for signing domain names in the .com, .net, and .edu zones, transitioning from algorithm 8 (RSA) to algorithm 13 (ECDSA), allowing for smaller signatures and improved cryptographic strength. |
DNSSEC Frequently Asked Questions
DNSSEC works to protect the internet community from forged DNS data by using public key cryptography to digitally sign authoritative zone data. DNSSEC validation helps to assure users that the data originated from the stated source and that it was not modified in transit. DNSSEC can also prove that a domain name does not exist.
DNSSEC benefits many components within the internet infrastructure ecosystem. DNSSEC is designed to provide the following benefits to:
- The internet community, by improving security in the zones that are signed.
- Registrars, by allowing them to offer domain signing services to their customers.
- ISPs, by enhancing the security of the data returned to their customers.
- Users, by guarding them from DNS vulnerabilities such as cache poisoning and "man-in-the-middle" attacks.
In DNSSEC, each zone has at least one public/private key pair. The zone's public key is published using DNS, while the zone's
private key is kept safe and ideally stored offline. A zone's private key signs individual DNS data in that zone, creating
digital signatures that are also published with DNS. DNSSEC uses a rigid trust model, and this chain-of-trust flows from
parent zone to child zone. Higher-level (parent) zones sign the public keys of lower-level (child) zones. The authoritative
name servers for these zones may be managed by registrars, ISPs, hosting/cloud providers, or registrants.
When an end-user wants to access an internet resource, the user's computer requests the domain name record from a recursive
name server, often located at an ISP or within an enterprise network. It also requests the DNSSEC signature for that record.
If the requested information is not currently cached, the recursive name server makes the request to the appropriate
authoritative name server. After the server requests these records, it also requests the public key associated with the zone.
The key and the signature allow the recursive server to verify that the information it receives is identical to the record on
the authoritative name server.
If the recursive name server determines that the address record has been sent by the authoritative name server and has not
been altered in transit, it resolves the domain name and allows the user to access the site. This process is called
validation. If the address record has been modified or is not from the stated source, the recursive name server does not
resolve the domain name to an address, which prevents the user from reaching the fraudulent site.
There are many pieces to the overall puzzle of internet security. DNSSEC may mitigate the security concerns generated by “man-in-the-middle” attacks and cache poisoning, but it is not an overall security solution. DNSSEC does not solve other common threats to internet security, like spoofing or phishing. For this reason, other layers of protection, such as SSL certificates and two-factor authentication, are critical to making the internet secure for everyone.
In cooperation with IANA and the U.S. Department of Commerce, Verisign completed the deployment of DNSSEC in the root zone—the starting point of the DNS hierarchy—in 2010. That same year, we enabled DNSSEC in the .edu zone, in collaboration with EDUCAUSE and the National Telecommunications and Information Administration (NTIA). Shortly afterward, we deployed DNSSEC in the .net and .com zones. Since then, nearly all top-level domains (TLDs) have adopted DNSSEC, with signed delegations published in the root zone.
The successful deployment of DNSSEC has far-reaching benefits for the global internet community by increasing trust for a multitude of internet activities, including e-commerce, online banking, email, VoIP, and online software distribution. However, the entire internet community shares the responsibility for making DNSSEC successful. Success requires the active, coordinated participation of registries, registrars, registrants, hosting companies, software developers, hardware vendors, government, and internet technologists and coalitions.
The internet root zone, TLDs such as .gov, .org, .museum, and a number of ccTLDs have signed the zones that they manage. Other TLDs such as .edu, .net, and .com implemented DNSSEC in 2010 and 2011. These TLDs have started accepting second-level DNSSEC-signed domain names. Large ISPs such as Comcast, and public recursive resolvers from Verisign, Google, Quad9, and Cloudflare have validation for their users. Additionally, some registrars have included DNSSEC implementation in their security solutions. In addition, ICANN has required that registry operators implement DNSSEC for all new generic TLDs.
Although both DNSSEC and SSL rely on public key cryptography, they each perform very different functions that complement,
rather than replace, one another.
In a very simplistic model, DNSSEC deals with "where," and SSL deals with "who" and "how."
- Where—DNSSEC uses digital signatures to verify DNS data integrity, thereby ensuring that users reach the intended IP address. Its job is done once the user reaches the address. DNSSEC does not ensure the identity of the entity at the address, and it does not encrypt interactions between the user and the site.
- Who—SSL uses digital certificates to validate the identity of a site. When these certificates are issued by reputable, third-party certificate authorities (CAs), SSL assures users of the identity of the website owner. However, SSL does nothing to ensure that a user reaches the right site, so it is not applicable against attacks that redirect users. In other words, SSL site validation is effective, but only if a user reaches the correct destination first.
- How—SSL also uses digital certificates to encrypt data exchanges between a user and a site, thereby protecting the confidentiality of financial transactions, communications, e-commerce, and other sensitive interactions.
When woven together, DNSSEC and SSL increase security and trust on the internet: Users can reliably ascertain where they are going, who they are interacting with, and how confidential their interactions are.