Use our free, fast & simple tool to sign your zone instantly! SIGN UP



DNSSEC (DNS SECurity), an emerging standard developed to help users gain assurance that the remote DNS server they are seeking to communicate with has been independently verified and is genuine.

DNSSEC is an emerging standard helping Net users with domain name verification through authentication.

One challenge for DNSSEC deployment faced by Registry operators is empowering the domain name owner with mechanisms to submit their unique domain name authentication key to the Registry. This process requires the key provider for a specific domain name to be authenticated, usually by the Registrar. Then the Registrar needs to have mechanisms in place to accept keys from these providers, who in turn submit the key data to the Registry for inclusion in the TLD zone file on behalf of their customer.

From an operator perspective, another challenge deals with the additional data elements required in the Zone File to accommodate DNSSEC; making the size and management of the Zone Data increasingly complex. For example, when becoming DNSSEC compliant the zone size alone can increase by as much as eight times.

From the users perspective, the challenge associated with DNSSEC is keeping the user informed as to occasions when DNSSEC is enabled and also when verification fails. As a consequence Application Level providers needs to ensure their products are optimised for DNSSEC compliance. Such issues can taint the benefits of and dampen adoption of DNSSEC by the user, and critical mass may only occur once DNSSEC is considered mature.

Regarding today's Root Server structure, four factors have been determined to have an impact on the scaling of the Root; those being DNSSEC, IPv6, IDNs and new TLDs. DNSSEC has been determined to have the largest impact on the scaling of the Root by having the largest increase in size to the currently small Root file. DNSSEC will:

  • Increase the amount of data required for each TLD.
  • Increase the number of variables per TLD.
  • Increase the number of changes per TLD per year.

DNSSEC is currently available in two different forms; NSEC and NSEC3. This paper explores the using by TLD Registry operators of a variation of DNSSEC with an Opt-Out option; an option achievable through NSEC3+OptOut. NSEC3+OptOut allows:

  • Users to become compliant on either a specified time frame or on a schedule that better aligns with organizational objectives.
  • Allows TLDs the opportunity to tackle DNSSEC compliance in more manageable increments by allowing TLDs to move forward without the requirement of having ALL associated names compliant before moving forward.
  • Mitigates existing design vulnerabilities.
  • NSEC3 with opt-out requires customers to explicitly state they want to use DNSSEC and thus impact on Zone sized is small. Standard NSEC or NSEC3 requires all records are signed.
  • Less "impact" on "non-signed" users at all levels in the DNS tree.


DNSSEC is a mechanism for DNS data allowing end users the ability to verify their intended destination’s domain name.

DNSSEC is a verification mechanism for DNS data. It allows an end-user to verify that the zone data they have been presented with was published by the person who holds the private key for that domain. If TLD operators obtain a referencing tag called a "finger print" of their customer's public key and include it in their zone, end users will be able to use this to verify the customer's zone data. By signing these finger prints (DS Records) with TLD's own keys, an end user can use the TLD operators keys to verify the customer's key and hence verify they have the right keys for the customer's zone. This is called the "chain of authentication".

DNSSEC is not an encryption mechanism and provides no security to prevent snooping on what queries are being done by which users.

DNSSEC does not have an error correction mechanism.

DNSSEC Application providers have introduced with different levels of success, an error recovery mechanism, designed to clear out all data that had failed verification to the highest point where verification succeeded.

The added benefit of DNSSEC is the establishment of a “chain-of-authentication.

In this way, DNSSEC provides additional mechanisms by which DNS resolution may fail. Therefore, some customers may prefer to take their chances with their existing zone data and keep the status-quo by not signing their zone.

For these users we must try and retain the existing stability, reliability and speed that has historically been a key feature of DNS resolution.

However, for domain holders customers, for example those dealing with financial transactions, may feel that it would be better that the end user is not presented with a web site at all than run the risk of having the users sent to the wrong site.

For these users we must provide the ability for them to sign their zones and provide them with the chain of authentication they need in order for their zone data to be publicly verifiable.

CommunityDNS and DNSSEC

Leading DNSSEC testbeds with TLDs in 2004, 2005 and 2007, CommunityDNS understands the importance DNSSEC can bring to the overall security of the DNS. CommunityDNS first supported DNSSEC with NSEC as the platform was initially developed and, when NSEC3 was ratified in March 2008, CommunityDNS became compliant with NSEC3 and NSEC3 with OptOut compliant shortly thereafter.

DNSSEC key signing process

ICANN appoints Paul M Kane, CEO, CommunityDNS, as one of seven Trusted Community Representatives (“TCR”) from the global community, holding two identical smart cards safeguarding the encrypted cryptographic fragment of the Recovery Key for the DNSSEC signing Key used to sign the ROOT Zone. This video describes the process of generating the cryptographic keys used for signing the ROOT Zone which was filmed at the first DNSSEC Signing Ceremony which took place on the 16th June 2010 - ready for DNSSEC Signed Root on the 15th July 2010.

Benefits of DNSSEC

  • DNSSEC provides a mechanism by which an end user can guarantee that the DNS data they have is the same as that which was published by the holder of the zone's private key.
  • Currently when an end-user visits a web site they can not be sure that the site they are visiting is the one the zone owner published. With a completely DNSSEC signed DNS tree, the end user can be sure (and prove cryptographically) that the DNS data they have in their hand is correct.

This is of great benefit in itself, however, it is undoubtedly in between the end user and the destined site. The new application this will unlock that the true benefit of DNSSEC will become apparent.

  • Once a full chain of authentication can be established all the way to the ROOT zone, the flexible, reliable and fast distributed database that is DNS will become the backbone for a whole range of new applications that will be opened up by the benefit that verifiable DNS provides.
  • Specifically, there are a wide range of existing applications that require verifiable public keys in order to provide secure and guaranteed communication. A DNSSEC signed zone can provide this mechanism.
Read More