The Internet is critical infrastructure, yet its operation depends on the fundamentally insecure DNS. Thus, there is strong incentive to secure DNS, and deploying DNSSEC is generally considered to be a critical part of that effort. For example, the U.S.
National Strategy to Secure Cyberspace specifically identified the need to secure DNS. Wide-scale deployment of DNSSEC could resolve many other security problems as well, such as secure key distribution for e-mail addresses. DNSSEC deployment in large-scale networks is also challenging. Ozment and Schechter observe that DNSSEC (and other technologies) has a "bootstrap problem": users typically only deploy a technology if they receive an immediate benefit, but if a minimal level of deployment is required before
any users receive a benefit greater than their costs (as is true for DNSSEC), it is difficult to deploy. DNSSEC can be deployed at any level of a DNS hierarchy, but it must be widely available in a zone before many others will want to adopt it. DNS servers must be updated with software that supports DNSSEC, and DNSSEC data must be created and added to the DNS zone data. A TCP/IP-using client must have their DNS resolver (client) updated before it can use DNSSEC's capabilities. What is more, any resolver must have, or have a way to acquire, at least one public key that it can trust before it can start using DNSSEC. DNSSEC implementation can add significant load to some DNS servers. Common DNSSEC-signed responses are far larger than the default UDP size of 512 bytes. In theory, this can be handled through multiple IP fragments, but many "middleboxes" in the field do not handle these correctly. This leads to the use of TCP instead. Yet many current TCP implementations store a great deal of data for each TCP connection; heavily loaded servers can run out of resources simply trying to respond to a larger number of (possibly bogus) DNSSEC requests. Some protocol extensions, such as
TCP Cookie Transactions, have been developed to reduce this loading. To address these challenges, significant effort is ongoing to deploy DNSSEC, because the Internet is so vital to so many organizations.
Early deployments Early adopters include
Brazil (
.br),
Bulgaria (
.bg),
Czech Republic (
.cz),
Namibia (
.na)
Puerto Rico (
.pr) and
Sweden (
.se), who use DNSSEC for their
country code top-level domains;
RIPE NCC, who have signed all the reverse lookup records (in-addr.arpa) that are delegated to it from the
Internet Assigned Numbers Authority (IANA).
ARIN is also signing their reverse zones. In February 2007,
TDC became the first Swedish ISP to start offering this feature to its customers. IANA publicly tested a sample signed root since June 2007. During this period prior to the production signing of the root, there were also several alternative trust anchors. The IKS Jena introduced one on January 19, 2006, the
Internet Systems Consortium introduced another on March 27 of the same year, while
ICANN themselves announced a third on February 17, 2009. On June 2, 2009,
Afilias, the registry service provider for
Public Interest Registry's .org zone signed the .org TLD. Afilias and PIR also detailed on September 26, 2008, that the first phase, involving large registrars it has a strong working relationship with ("friends and family") would be the first to be able to sign their domains, beginning "early 2009". On June 23, 2010, 13 registrars were listed as offering DNSSEC records for .ORG domains. VeriSign ran a pilot project to allow .com and .net domains to register themselves for the purpose of NSEC3 experimentation. On February 24, 2009, they announced that they would deploy DNSSEC across all their top-level domains (.com, .net, etc.) within 24 months, and on November 16 of the same year, they said the .com and .net domains would be signed by the first quarter of 2011, after delays caused by technical aspects of the implementation. This goal was achieved on-schedule and Verisign's DNSSEC VP, Matt Larson, won InfoWorld's Technology Leadership Award for 2011 for his role in advancing DNSSEC.
Deployment at the DNS root DNSSEC was first deployed at the root level on July 15, 2010. This is expected to greatly simplify the deployment of DNSSEC resolvers, since the root trust anchor can be used to validate any DNSSEC zone that has a complete chain of trust from the root. Since the chain of trust must be traced back to a trusted root without interruption in order to validate, trust anchors must still be configured for secure zones if any of the zones above them are not secure. For example, if the zone "signed.example.org" was secured but the "example.org" zone was not, then, even though the ".org" zone and the root are signed, a trust anchor has to be deployed in order to validate the zone. Political issues surrounding signing the root have been a continuous concern, primarily about some central issues: • Other countries are concerned about U.S. control over the Internet, and may reject any centralized keying for this reason. • Some governments might try to ban DNSSEC-backed encryption key distribution.
Planning In September 2008, ICANN and VeriSign each published implementation proposals and in October, the
National Telecommunications and Information Administration (NTIA) asked the public for comments. It is unclear if the comments received affected the design of the final deployment plan. On June 3, 2009, the
National Institute of Standards and Technology (NIST) announced plans to sign the root by the end of 2009, in conjunction with ICANN,
VeriSign and the NTIA. On October 6, 2009, at the 59th
RIPE Conference meeting, ICANN and VeriSign announced the planned deployment timeline for deploying DNSSEC within the root zone. At the meeting it was announced that it would be incrementally deployed to one root name server a month, starting on December 1, 2009, with the final root name server serving a DNSSEC signed zone on July 1, 2010, and the root zone will be signed with a RSA/SHA256 DNSKEY. This means the keys that were used to sign the zone use are deliberately unverifiable; the reason for this deployment was to monitor changes in traffic patterns caused by the larger responses to queries requesting DNSSEC resource records. The
.org top-level domain was signed with DNSSEC in June 2010, followed by
.com,
.net, and
.edu later in 2010 and 2011.
Country code top-level domains were able to deposit keys starting in May 2010. more than 25% of top-level domains are signed with DNSSEC.
Implementation On January 25, 2010, the L (ell) root server began serving a
Deliberately Unvalidatable Root Zone (DURZ). The zone uses signatures of a
SHA-2 (SHA-256) hash created using the
RSA algorithm, as defined in . As of May 2010, all thirteen root servers began serving the DURZ. DLV was intended to make DNSSEC easier to deploy in the absence of a root trust anchor. At the time it was imagined that a validator might have to maintain large numbers of trust anchors corresponding to signed subtrees of the DNS. The purpose of DLV was to allow validators to offload the effort of managing a trust anchor repository to a trusted third party. The DLV registry maintained a central list of trust anchors, instead of each validator repeating the work of maintaining its own list. To use DLV, a validator that supports it was needed, such as
BIND or
Unbound, configured with a trust anchor for a DLV zone. This zone contained DLV records; these had exactly the same format as DS records, but instead of referring to a delegated sub-zone, they referred to a zone elsewhere in the DNS tree. When the validator could not find a chain of trust from the root to the RRset it is trying to check, it searched for a DLV record that could provide an alternative chain of trust. Gaps in the chain of trust, such as unsigned top-level domains or registrars that did not support DNSSEC delegations, meant administrators of lower-level domains could use DLV to allow their DNS data to be validated by resolvers which had been configured to use DLV. This may have hindered DNSSEC deployment by taking pressure off registrars and TLD registries to properly support DNSSEC. DLV also added complexity by adding more actors and code paths for DNSSEC validation. ISC decommissioned its DLV registry in 2017. DLV support was deprecated in BIND 9.12 and completely removed from BIND 9.16. Unbound version 1.5.4 (July 2015) marked DLV as decommissioned in the example configuration and manual page. Knot Resolver and PowerDNS Recursor never implemented DLV. In March 2020, the
IETF published , retiring DLV as a standard and moving RFC 4432 and RFC 5074 to "Historic" status.
DNSSEC deployment initiative by the U.S. federal government The Science and Technology Directorate of the
U.S. Department of Homeland Security (DHS) sponsors the "DNSSEC Deployment Initiative". This initiative encourages "all sectors to voluntarily adopt security measures that will improve security of the Internet's naming infrastructure, as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors." DHS also funds efforts to mature DNSSEC and get it deployed inside the U.S. federal government. It was reported that on March 30, 2007, the
U.S. Department of Homeland Security proposed "to have the key to sign the DNS root zone solidly in the hands of the US government." However no U.S. Government officials were present in the meeting room and the comment that sparked the article was made by another party. DHS later commented on why they believe others jumped to the false conclusion that the U.S. Government had made such a proposal: "The U.S. Department of Homeland Security is funding the development of a technical plan for implementing DNSSec, and last October distributed an initial draft of it to a long list of international experts for comments. The draft lays out a series of options for who could be the holder, or "operator," of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. "Nowhere in the document do we make any proposal about the identity of the Root Key Operator," said Maughan, the cyber-security research and development manager for Homeland Security."
DNSSEC deployment in the U.S. federal government The
National Institute of Standards and Technology (NIST) published NIST Special Publication 800-81 Secure Domain Name System (DNS) Deployment Guide on May 16, 2006, with guidance on how to deploy DNSSEC. NIST intended to release new DNSSEC Federal Information Security Management Act (FISMA) requirements in NIST SP800-53-R1, referencing this deployment guide. U.S. agencies would then have had one year after final publication of NIST SP800-53-R1 to meet these new FISMA requirements. However, at the time NSEC3 had not been completed. NIST had suggested using split domains, a technique that is known to be possible but is difficult to deploy correctly, and has the security weaknesses noted above. On 22 August 2008, the Office of Management and Budget (OMB) released a memorandum requiring U.S. Federal Agencies to deploy DNSSEC across .gov sites; the .gov root must be signed by January 2009, and all subdomains under .gov must be signed by December 2009. While the memo focuses on .gov sites, the U.S. Defense Information Systems Agency says it intends to meet OMB DNSSEC requirements in the .mil (U.S. military) domain as well. NetworkWorld's Carolyn Duffy Marsan stated that DNSSEC "hasn't been widely deployed because it suffers from a classic chicken-and-egg dilemma... with the OMB mandate, it appears the egg is cracking."
Deployment in resolvers Several ISPs have started to deploy DNSSEC-validating DNS recursive resolvers. Comcast became the first major ISP to do so in the United States, announcing their intentions on October 18, 2010 and completing deployment on January 11, 2012. According to a study at
APNIC, the proportion of clients who exclusively use DNS resolvers that perform DNSSEC validation rose to 8.3% in May 2013. About half of these clients were using
Google's public DNS resolver. In September 2015, Verisign announced their free public DNS resolver service, and although unmentioned in their press releases, it also performs DNSSEC validation. By the beginning of 2016, APNIC's monitoring showed the proportion of clients who exclusively use DNS resolvers that perform DNSSEC validation had increased to about 15%.
DNSSEC support Google's
public recursive DNS server enabled DNSSEC validation on May 6, 2013.
BIND, the most popular DNS management software, enables DNSSEC support by default since version 9.5. The
Quad9 public recursive DNS has performed DNSSEC validation on its main 9.9.9.9 address since it was established on May 11, 2016. Quad9 also provides an alternate service which does not perform DNSSEC validation, principally for debugging.
Deployment in infrastructure In September 2023, Microsoft announced it would utilize DNSSEC (via
DANE) to verify the authenticity of certificates during SMTP communications. == Reception ==