The Domain Name System Security Extensions (DNSSEC) is a suite of IETF-developed specifications designed to validate information provided by the Domain Name System (DNS).

A number of early adopters deployed DNSSEC for the domain they are responsible for. Among these early adopters were the country code Top Level Domains (ccTLDs) .br, .bg, .cz, .pr, .se and the generic Top Level Domain (gTLD) .org. Besides TLD operators, organisations such as the RIPE NCC and the RIPE community as a whole were at the forefront of DNSSEC development. The RIPE NCC has signed its DNS zones since 2005. However, many TLD operators waited for the root zone to be signed before they started deploying DNSSEC.

When the root zone was signed in June 2010, this acted as a catalyst for TLD operators to deploy DNSSEC on their side. We have seen a gradual but significant increase in signed TLDs since then.

The map below shows the level of DNSSEC deployment in Europe. Those countries marked blue have deployed DNSSEC. Those marked yellow plan to deploy it in the near future. Those in white have no plans as yet to deploy DNSSEC.



Figure 1: DNSSEC in European ccTLDs (blue = deployed; yellow = planning to deploy; white = no plans to deploy) DNSSEC in European ccTLDs (blue = deployed; yellow = planning to deploy; white = no plans to deploy)

At the core of DNSSEC is the "chain of trust" that follows the hierarchy by which a domain is delegated from the root zone to a TLD and then to the domain operator. For DNSSEC to be fully useful, this chain of trust needs to be complete. This means that for a domain owner, DNSSEC becomes truly useful once the TLD that domain is under is also signed.

The RIPE NCC is maintaining zones in domains under several infrastructure TLDs. The vast majority of the zones under these TLDs are by now supporting DNSSEC because the parent zones allow delegation signer (DS) records to be included, thereby completing the chain of trust. Recently, the RIPE NCC also enabled the IPv4 reverse zones in the in-addr.arpa parent zone. We expect that at the end of the year, only three of our parent zones will not be able to accept our delegation signer (DS) records: 196.in-addr.arpa, .int and .cc. That is considered a huge progress since the root zone has been signed.

Below you can see a graph showing DS records inside the reverse zones the RIPE NCC is maintaining. Over the last few years, we have observed a steady increase in the number of DS records. In total, there are currently 450 DS records in our zones.



Figure 2: Number of DS records in RIPE NCC-maintained reverse zones over time Number of DS records in RIPE NCC-maintained reverse zones over time

Considering that the RIPE NCC maintains some 500,000 reverse delegations, this number is still very small. However, the recent increase is encouraging.

From our point of view, we are pleased with the progress that DNSSEC has made since the root zone was signed a year ago. Very few industry experts expected the signing of the root zone to have such a substantial impact on the signing of TLDs.

For more information, please refer to the article on RIPE Labs: DNSSEC Deployment Today