Donate
‹ Back
Deploy360 24 October 2013

4 NewgTLDs Launched Yesterday Marks Dawn of “DNSSEC From The Start” TLDs

Dan York
By Dan YorkDirector of Web Strategy

dnssecYesterday was a big day for the Domain Name System (DNS). After a long process, ICANN formally delegated the first four of the “new generic top-level domains (newgTLDs)”, marking the beginning of the largest expansion of the domain name space ever. In addition to the existing “generic TLDs” like .com, .org, .net, etc., and the existing “country code TLDs (ccTLDs)” like .nl, .cz, .tv, etc., over the months and years ahead there are some 1,400 newgTLDs that are expected to be launched.

These first four newgTLDs are interestingly not English-language names like “.shop” or “.bank”, but instead what are called “Internationalized Domain Names (IDNs)” in non-Latin alphabets:

  • شبكة (xn--ngbc5azd) – Arabic for “web/network”
  • онлайн (xn--80asehdb) – Cyrillic for “online”
  • сайт (xn--80aswg) – Cyrillic for “site”
  • 游戏(xn--unup4y) – Chinese for “game(s)”

Yesterday’s “delegation” means that these TLDs now appear in the root zone of the DNS and the registries who operate these TLDs can now begin the process of selling domain names underneath these TLDs.  There is a formal process the registries have to go through to get started, but soon we should see these TLDs available as options for registration at the registrars who are supporting these TLDs.

Now, the exciting aspect of this news from a Deploy360 point of view is simply this:

All of these newgTLDs MUST be signed with and use DNSSEC!

From the very beginning of their operation these newgTLDs are already starting out with more security enabled than many of the existing country-code TLDs (ccTLDs).  If you look at ICANN’s “TLD DNSSEC Report” you can see that pretty much all of the existing major “generic TLDs” (ex. .com, .org, .net, .edu) are signed with DNSSEC.  Similarly over 100 of the existing ccTLDs are signed with DNSSEC.  These four newgTLDs can also be found in that report, with a nice green bar showing that they are all signed with DNSSEC.

The key point here is that these new registries must:

1. Keep the TLD signed with DNSSEC from an operational point of view.
2. Accept DNSSEC records (DS/DNSKEY) from registrars (or domain registrants depending upon the business model).

One important point:

Support of DNSSEC by a newgTLD does NOT mean that ALL domains registered under the newgTLD will be secured with DNSSEC!

But it means that all domain names registered under the newgTLD CAN be secured with DNSSEC – and that is a great step forward!

Furthermore, the new ICANN Registrar Accreditation Agreement (RAA) will require all “ICANN-accredited registrars” to support the passing of DNSSEC records from a domain name registrant up to the TLD registry. This means we should be seeing a great amount more of DNSSEC support from within the registrars.  Hopefully the DNS operators (which are sometimes part of registrars) will follow with making it easy for domain name holders to sign their domains.

All in all this newgTLD launch is great news for those of us looking at add more security to the Internet through the use of DNSSEC.  From here on out all the newgTLDs will be launched with DNSSEC – and hopefully this will also put some competitive pressure on the lagging ccTLDs (and a few lagging gTLDs) to join the rest of the TLDs that have already signed their domains.

And in the end, we’ll have a more secure Internet protecting users from attackers and also enabling new an innovative forms of security such as DANE’s protection of SSL/TLS certificates.

Congratulations to all the teams at these four registries (and their operators) and also at ICANN on this launch of the first new – and secure – gTLDs!

P.S. Want to understand DNSSEC and how (or why?) you can get started?  Check out our DNSSEC Basics page

 

 

 

 

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

nTLDStats Adds DNSSEC Statistics for New Generic Top-Level Domains (newgTLDs)
Deploy36029 April 2015

nTLDStats Adds DNSSEC Statistics for New Generic Top-Level Domains (newgTLDs)

Hooray! The folks over at nTLDstats have now added a new tab that lets you see which of the 100s...

ICANN's 2013 RAA Requires Domain Name Registrars To Support DNSSEC, IPv6
Deploy36020 September 2013

ICANN's 2013 RAA Requires Domain Name Registrars To Support DNSSEC, IPv6

How do we get more domain name registrars to support DNSSEC?  I don't know how many times I've heard this:...

Update on DNSSEC Deployment Maps: Github repo for tracking issues, newgTLDs, more...
Deploy36020 February 2014

Update on DNSSEC Deployment Maps: Github repo for tracking issues, newgTLDs, more…

The positive reaction to our publishing of DNSSEC deployment maps has been great to hear and I wanted to provide...

Join the conversation with Internet Society members around the world