6 Stages Of DNSSEC Deployment

For our DNSSEC Deployment Maps and the associated data files, we track six stages of DNSSEC deployment for top-level domains (TLDs).

1. Experimental

In this stage, the registry behind the TLD is experimenting with DNSSEC in some way.  They may be running an internal trial, a public pilot program or just be known to be experimenting with DNSSEC.

We identify a TLD as being in this stage primarily by observing information or statements from representatives of the TLD indicating that they are doing some work with DNSSEC.  This information may be observed from sources such as these:

  • messages we see on various mailing lists
  • presentations at conferences or events
  • participation at DNSSEC training workshops
  • blog posts or other online articles

Occasionally, too, a TLD registry may contact us directly and let us know they are experimenting with DNSSEC.

2. Announced

The TLD registry has made a statement publicly committing to deploy DNSSEC and sign the TLD.  This could be in the form of a news release, a blog post, a conference presentation or an email from an authoritative representative of the TLD, either directly to us or distributed on one of the various DNS-related mailing lists that exist.

3. Partial

In this stage, the TLD is publicly signed with DNSSEC but the Delegation Signer (DS) record has not yet been published in the root zone of DNS.  The TLD registry has gone through the work to have the authoritative name servers publish signed records, but has not yet linked the TLD into the global chain of trust.

Similar to the earlier two stages we typically learn that a TLD is in the “partial” stage by way of observing statements either online or at events.  However, unlike the earlier stages, we are then able to confirm the existence of the DNSSEC signatures in the records for the TLD zone.

4. DS in Root

When the root zone of DNS publishes a DS record for a TLD, that TLD is now tied into the “global chain of trust” of DNSSEC and second-level domains under that TLD can now have DNSSEC validation performed on them that will verify the signatures all the way back up to the DNS root.

This is the one stage that we can observe directly ourselves and can also be notified when new DS records are published.  We can use some of the DNSSEC Statistics sites to be able to validate this – and sites such as Rick Lamb’s DNSSEC deployment report to know when new DS records are published.

A number of TLDs in the DNSSEC Deployment Maps are in this “DS in Root” state because it is very easy for us to determine when a TLD enters this stage of deployment.

5. Operational

The fifth stage of DNSSEC deployment is one in which the TLD registry is now accepting signed delegations from second-level domains, either using a DS record or a DNSKEY record depending upon the TLD policy.  It is at this point that a domain registrant can typically work with a registrar and a DNS hosting operator to sign their domain and upload their DS record.

Unfortunately we have no easy way yet to verify that TLDs are in this stage of deployment.  Similar to the first three stages, much of our identification of TLDs in this stage occurs through observing information and statements from representatives of the TLD registry or registrars who register domains for that TLD.  In some cases the TLD registry itself may have statements on its website or registrars may have information on their sites indicating that they can register domains with DNSSEC for specific TLDs.  Some times we do receive email communication from TLDs indicating that they have entered the operational stage of deployment.

6. DS Automation

The sixth stage of DNSSEC deployment is where the TLD operator is performing some type of automation to ensure that DS records for second-level domains are being updated when new keys are generated. Typically this is done with the use of either a CDNS or CDNSKEY record as defined in RFC 7344 and RFC 8078.

For all of the stages, we do encourage TLD registries or registrars to please contact us to let us know the current status of a TLD and particularly whether we have the TLD in the correct stage in our maps and other information.