ICANN | DNSSEC

In Focus

DNSSEC

DNSSEC Root Deployment

Status

DNSSEC Deployed on 107 out of 317 TLDs [+]

Map of DNSSEC TLDs [+]

Deploying DNSSEC

DNSSEC KSK Key Ceremony

Publications

DNSSEC Factsheet

IANA DNSSEC Root Information

DNSSEC Presentations [+]

Technical

DNSSEC News

DNSSEC Operational on XN--H2BRJ9C.

21 May 2013

DNSSEC Operational on GN.

21 May 2013

DNSSEC Operational on YT.

16 May 2013

DNSSEC Operational on XN--ZCKZAH.

16 May 2013

DNSSEC Operational on XN--P1AI.

16 May 2013

DNSSEC Operational on XN--O3CW4H.

16 May 2013

DNSSEC Operational on XN--MGBX4CD0AB.

16 May 2013

DNSSEC Operational on XN--KPRY57D.

16 May 2013

DNSSEC Operational on XN--KPRW13D.

16 May 2013

DNSSEC Operational on XN--KGBECHTV.

16 May 2013

DNSSEC Operational on XN--JXALPDLP.

16 May 2013

DNSSEC Operational on XN--HLCJ6AYA9ESC7A.

16 May 2013

DNSSEC Operational on XN--HGBK6AJ7F53BBA.

16 May 2013

DNSSEC Operational on XN--G6W251D.

16 May 2013

DNSSEC Operational on XN--DEBA0AD.

16 May 2013

DNSSEC Operational on XN--9T4B11YI5A.

16 May 2013

DNSSEC Operational on XN--80AKHBYKNJ4F.

16 May 2013

DNSSEC Operational on XN--3E0B707E.

16 May 2013

DNSSEC Operational on XN--11B5BS3A9AJ6G.

16 May 2013

DNSSEC Operational on XN--0ZWM56D.

16 May 2013

DNSSEC Operational on WF.

16 May 2013

DNSSEC Operational on US.

16 May 2013

DNSSEC Operational on UK.

16 May 2013

DNSSEC Operational on UG.

16 May 2013

DNSSEC Operational on UA.

16 May 2013

DNSSEC Operational on TZ.

16 May 2013

DNSSEC Operational on TW.

16 May 2013

DNSSEC Operational on TV.

16 May 2013

DNSSEC Operational on TT.

16 May 2013

DNSSEC Operational on TM.

16 May 2013

DNSSEC Operational on TH.

16 May 2013

DNSSEC Operational on TF.

16 May 2013

DNSSEC Operational on SX.

16 May 2013

DNSSEC Operational on SU.

16 May 2013

DNSSEC Operational on SI.

16 May 2013

DNSSEC Operational on SH.

16 May 2013

DNSSEC Operational on SE.

16 May 2013

DNSSEC Operational on SC.

16 May 2013

DNSSEC Operational on RU.

16 May 2013

DNSSEC Operational on RE.

16 May 2013

DNSSEC Operational on PW.

16 May 2013

DNSSEC Operational on PT.

16 May 2013

DNSSEC Operational on PR.

16 May 2013

DNSSEC Operational on POST.

16 May 2013

DNSSEC Operational on PM.

16 May 2013

DNSSEC Operational on PL.

16 May 2013

DNSSEC Operational on ORG.

16 May 2013

DNSSEC Operational on NZ.

16 May 2013

DNSSEC Operational on NU.

16 May 2013

DNSSEC Operational on NL.

16 May 2013

DNSSEC Operational on NF.

16 May 2013

DNSSEC Operational on NET.

16 May 2013

DNSSEC Operational on NC.

16 May 2013

DNSSEC Operational on NA.

16 May 2013

DNSSEC Operational on MY.

16 May 2013

DNSSEC Operational on MUSEUM.

16 May 2013

DNSSEC Operational on MN.

16 May 2013

DNSSEC Operational on MM.

16 May 2013

DNSSEC Operational on MIL.

16 May 2013

DNSSEC Operational on ME.

16 May 2013

DNSSEC Operational on LV.

16 May 2013

DNSSEC Operational on LU.

16 May 2013

DNSSEC Operational on LT.

16 May 2013

DNSSEC Operational on LK.

16 May 2013

DNSSEC Operational on LI.

16 May 2013

DNSSEC Operational on LC.

16 May 2013

DNSSEC Operational on LB.

16 May 2013

DNSSEC Operational on LA.

16 May 2013

DNSSEC Operational on KR.

16 May 2013

DNSSEC Operational on KG.

16 May 2013

DNSSEC Operational on JP.

16 May 2013

DNSSEC Operational on IO.

16 May 2013

DNSSEC Operational on INFO.

16 May 2013

DNSSEC Operational on IN.

16 May 2013

DNSSEC Operational on NF.

22 Apr 2013

DNSSEC Operational on XN--O3CW4H.

18 Apr 2013

DNSSEC Operational on CX.

18 Apr 2013

DNSSEC Operational on TV.

23 Mar 2013

DNSSEC Operational on LT.

21 Feb 2013

DNSSEC Operational on TZ.

8 Feb 2013

DNSSEC Operational on CA.

25 Jan 2013

DNSSEC Operational on RU.

21 Dec 2012

DNSSEC Operational on PW.

21 Dec 2012

DNSSEC Operational on XN--P1AI.

7 Nov 2012

DNSSEC Operational on CC.

25 Oct 2012

DNSSEC Operational on HN.

6 Oct 2012

DNSSEC Operational on XN--MGBX4CD0AB.

21 Sep 2012

DNSSEC Operational on FO.

18 Sep 2012

DNSSEC Operational on TT.

16 Aug 2012

DNSSEC Operational on LV.

9 Aug 2012

DNSSEC Operational on POST.

7 Aug 2012

DNSSEC Operational on MIL.

15 Jul 2012

DNSSEC Operational on XN--3E0B707E.

24 Jun 2012

DNSSEC Operational on LB.

24 May 2012

DNSSEC Operational on UA.

13 Apr 2012

ISPs Agree to FCC Rules on Anti-Botnet, DNSSEC, Internet Routing

22 Mar 2012

Sitios web de bancos ticos podran ser mas seguros (Bank websites may be safer)

15 Mar 2012

Costa Rica ready to provide security for Internet domains

13 Mar 2012

DNSSEC Operational on CR.

10 Mar 2012

DNSSEC - security for the .at zone

29 Feb 2012

DNSSEC Operational on NZ.

26 Feb 2012

FCC chairman calls on ISPs to adopt secure routing standards and DNSSEC, combat botnets

22 Feb 2012

Domain Pulse 2012: Registrars, Resellers Reluctant to Support DNSSEC, New gTLDs

23 Feb 2012

DNSSEC Operational on PL.

10 Feb 2012

DNSSEC Operational on AT.

10 Feb 2012

Securing the Internet with DNSSEC

6 Feb 2012

ICANN DNSSEC Root Zone wins SysTrust certification - Again

27 Jan 2012

Will 2012 be the dawn of DNSSEC?

Jan 18 2012

DNSSEC Adoption Needs to Grow to Secure Core Internet, Protocols

12 Jan 2012

DNSSEC Operational on SI.

24 Dec 2011

Telefonica Improves Internet Access Security

16 December 2011

DNSSEC Operational on NZ.

13 Dec 2011

DNSSEC Operational on SX.

10 Dec 2011

PayPal domains are now using DNSSEC

8 December 2011

COMCAST DNSSEC Deployment Update

8 December 2011

DNSSEC Operational on MM.

30 Nov 2011

DNSSEC Operational on KR.

24 Nov 2011

As the first operator to do so, Vodafone secures its services with DNSSEC technology

24 November 2011

DNSSEC Operational on UG.

13 Nov 2011

Seven accused in US$14m DNS scam

9 November 2011

Major DNS Cache Poisoning Attack Hits Brazilian ISPs

7 November 2011

DNSSEC Operational on XN--KPRY57D.

5 Nov 2011

DNSSEC Operational on XN--KPRW13D.

5 Nov 2011

DNSSEC Operational on TW.

5 Nov 2011

DNSSEC Operational on SU.

25 Oct 2011

What You Need To Know About DNSSEC

26 August 2011

DNSSEC Operational on GL.

5 Aug 2011

DNSSEC Operational on NC.

13 Jul 2011

DNSSEC Operational on XN--G6W251D.

18 Jun 2011

DNSSEC Operational on DE.

8 Jun 2011

DNSSEC Operational on SH.

30 Apr 2011

DNSSEC Operational on IO.

30 Apr 2011

DNSSEC Operational on AC.

30 Apr 2011

DNSSEC Operational on CL.

22 Apr 2011

DNSSEC Operational on COM.

31 Mar 2011

DNSSEC Operational on CO.

18 Mar 2011

DNSSEC Operational on LU.

11 Mar 2011

DNSSEC Operational on AM.

3 Feb 2011

DNSSEC Operational on KG.

27 Jan 2011

DNSSEC Operational on LA.

15 Jan 2011

DNSSEC Operational on AG.

26 Dec 2010

DNSSEC Operational on GR.

16 Dec 2010

DNSSEC Operational on JP.

10 Dec 2010

DNSSEC Operational on NET.

9 Dec 2010

DNSSEC Operational on MY.

7 Dec 2010

DNSSEC Operational on WF.

6 Dec 2010

DNSSEC Operational on ARPA.

6 Dec 2010

DNSSEC Operational on ME.

1 Dec 2010

DNSSEC Operational on IN.

24 Nov 2010

DNSSEC Operational on ASIA.

17 Nov 2010

DNSSEC Operational on SC.

11 Nov 2010

DNSSEC Operational on NL.

11 Nov 2010

DNSSEC Operational on FI.

9 Nov 2010

DNSSEC Operational on MN.

6 Nov 2010

DNSSEC Operational on GI.

3 Nov 2010

DNSSEC Operational on LC.

29 Oct 2010

DNSSEC Operational on GOV.

28 Oct 2010

DNSSEC Operational on HN.

24 Oct 2010

DNSSEC Operational on BZ.

17 Oct 2010

DNSSEC Operational on FR.

29 Sep 2010

DNSSEC Operational on RE.

25 Sep 2010

DNSSEC Operational on NU.

25 Sep 2010

DNSSEC Operational on TH.

23 Sep 2010

DNSSEC Operational on PR.

23 Sep 2010

DNSSEC Operational on YT.

17 Sep 2010

DNSSEC Operational on PT.

17 Sep 2010

DNSSEC Operational on LI.

17 Sep 2010

DNSSEC Operational on TF.

11 Sep 2010

DNSSEC Operational on BE.

9 Sep 2010

DNSSEC Operational on INFO.

4 Sep 2010

DNSSEC Operational on EU.

2 Sep 2010

DNSSEC Operational on SE.

27 Aug 2010

DNSSEC Operational on PM.

27 Aug 2010

DNSSEC Operational on CH.

27 Aug 2010

DNSSEC Operational on XN--ZCKZAH.

26 Aug 2010

DNSSEC Operational on XN--KGBECHTV.

26 Aug 2010

DNSSEC Operational on XN--JXALPDLP.

26 Aug 2010

DNSSEC Operational on XN--HLCJ6AYA9ESC7A.

26 Aug 2010

DNSSEC Operational on XN--HGBK6AJ7F53BBA.

26 Aug 2010

DNSSEC Operational on XN--G6W251D.

26 Aug 2010

DNSSEC Operational on XN--DEBA0AD.

26 Aug 2010

DNSSEC Operational on XN--9T4B11YI5A.

26 Aug 2010

DNSSEC Operational on XN--80AKHBYKNJ4F.

26 Aug 2010

DNSSEC Operational on XN--11B5BS3A9AJ6G.

26 Aug 2010

DNSSEC Operational on XN--0ZWM56D.

26 Aug 2010

DNSSEC Operational on US.

7 Aug 2010

DNSSEC Operational on MUSEUM.

7 Aug 2010

DNSSEC Operational on BIZ.

7 Aug 2010

CEO Remarks on Black Hat / Def Con

3 August 2010

DNSSEC Operational on EDU.

30 Jul 2010

DNSSEC Operational on DK.

30 Jul 2010

DNSSEC Operational on ORG.

22 Jul 2010

DNSSEC Operational on LK.

22 Jul 2010

DNSSEC Operational on NA.

10 Jul 2010

DNSSEC Operational on BG.

4 Jul 2010

DNSSEC Operational on CAT.

1 Jul 2010

DNSSEC Operational on TM.

30 Jun 2010

DNSSEC Operational on CZ.

24 Jun 2010

DNSSEC Operational on UK.

23 Jun 2010

DNSSEC Operational on BR.

23 Jun 2010

The Long Road to DNSSEC Deployment

28 July 2009

Other DNSSEC Sites

ICANN to Convene Annual Europe Regional Registry/Registrar Event

March 28, 2011

Planned Changes to IPv4 Reverse DNS Infrastructure

December 15, 2010

An Update on ICANN Security Efforts

November 12, 2010

CEO Remarks on Black Hat / Def Con

August 3, 2010

DNSSEC

To easily identify resources on the Internet, the underlying numerical addresses for these resources are represented by human readable strings. The conversion of these strings to numbers is done by the distributed hierarchical Doman Name System (DNS). Increased sophistication in computing and networking since its design in 1983 have made this "phone book" vulnerable to attacks. Specifically, to the ability of attackers to falsify responses to queries to the DNS thus allowing attackers to redirect end users to Web sites under their own control (for account and password collection) without notice.

In response to these threats, the international standards organization, IETF, developed DNSSEC to cryptographically ensure DNS content cannot be modified from its source without being detected. Once fully deployed, DNSSEC will stop the attacker's ability to redirect users using the DNS. Of particular interest to ISPs and enterprises, DNSSEC will prevent en masse redirection at the DNS resolver (also known as cache poisoning).

DNSSEC works by digitally signing each DNS record so that any tampering of that record can be detected. The digital signatures, and keys used to create them, are distributed just like any other records in the DNS making DNSSEC backward compatible. Keys in each layer in the DNS hierarchy are signed by keys from the preceding layer which effectively vouches for them just like domain names are delegated from one layer to the next. This "chain of trust" is used to validate the digital signatures accompanying DNSSEC protected records to detect changes.

Starting with the discovery of improved DNS exploits in 2008 together with broad multi-stakeholder support, DNSSEC has been deployed at an accelerated pace on many top level domains, the "root", and products. For the public to benefit fully from DNSSEC via the chain of security it establishes from content source to end user, it must be supported by every entity along this chain, e.g., ISPs and domain name owners.

Moving Forward: With the healthy deployment of DNSSEC well on its way and serious efforts to make use of the resulting global PKI to expand the benefits of cryptographic security to the masses, DNSSEC has the potential of becoming a critical link for a wide range of industry applications.

Greater support of DNSSEC by Registrars, ISPs, Registrants, and enterprises will help achieve this potential by building on the international bottom-up, multi-stakeholder DNSSEC infrastructure deployment efforts that have brought us to where we are today. Specifically, to help reap the full benefits of DNSSEC we recommend the following:

Turn on DNSSEC validation on DNS resolution services.
Deploy DNSSEC on domain names.
Raise awareness of the security benefits of DNSSEC and its secure deployment.

Future Applications: Although ancillary to its original purpose, DNSSEC is seen by many Internet veterans as a platform for innovation for a whole new range of Internet security solutions from digital certificates and email to yet to be discovered products. Therefore, gaining experience with DNSSEC may have broader value.

This web page is designed to track activities relating to DNSSEC. For more information on DNSSEC and interest in DNSSEC education and training please contact dnssec@icann.org.