Domain Name System Security Extensions (DNSSEC) Improving Technical Security

State of DNSSEC Deployment 2016 report shows over 89% of top-level domains signed

Did you know that 89% of top-level domains are now signed with DNSSEC? Or that over 88% of .GOV domains and over 50% of .CZ domains are signed? Were you aware that over 103,000 domains use DANE and DNSSEC to provide a higher level of security for email? Or that 80% of clients request DNSSEC signature records in DNS queries?

All these facts and much more are available in our new State of DNSSEC Deployment 2016 report.

For many years a wide variety of statistics about DNSSEC deployment have been available, but it’s been challenging to get an overall view. With this report our goal is to help people across the industry understand where the deployment of DNSSEC is at – and what challenges still need to be overcome.

To back up a bit, the “DNS Security Extensions”, or “DNSSEC”, provide a way to be sure you are communicating with the correct web site, service, or application. Before your mobile phone, laptop or other device connects to a site on the Internet, it must first obtain the correct IP address from the Domain Name System (DNS). Think of DNS similar to the “address book” you may have in your phone. You may look up “Dan York” in your contact list and call me – but underneath that your phone figures out the actual telephone number to call to reach me. DNS provides a similar directory function for the Internet.

The challenge is that there are ways an attacker can spoof the DNS results which could wind up with you connecting to the wrong site. Potentially you could wind up providing information to an attacker or downloading malware.

DNSSEC uses a system of digital signatures – and the checking of digital signatures (what we call “validation”) – to ensure that the information you get out of DNS is the same information that the operators of the domains put into DNS.

At a high level, this is what DNSSEC does – it makes sure you can trust the information you get from DNS. (You can read more on our DNSSEC Basics page.)

The basics of DNSSEC have been standardized for most of 20 years, but until the root zone of DNS was signed in 2010, there wasn’t much deployment. In the six years since, deployment has continued to grow. This report outlines that growth and provides a view into where that growth is happening and much more.

We encourage you to read and share this report widely. And if you haven’t yet started deploying DNSSEC validation on your own networks – or haven’t started signing your domains with DNSSEC – you can visit our Deploy360 Start page to find resources to help you begin.

Using DNSSEC allows us to have a higher level of trust in the domain names we use every day on the Internet. I hope you will join with me and others in deploying DNSSEC and building a more trusted Internet!