Donate
‹ Back
Deploy360 17 July 2014

Congrats to Spain (.ES) and Croatia (.HR) on on their DNSSEC-signed TLDs in the DNS Root

Dan York
By Dan YorkDirector of Web Strategy

Croatia and SpainCongratulations to the teams at the top-level domains (TLDs) of both .ES (Spain) and .HR (Croatia) for getting their DNSSEC-signed TLDs in the root of DNS!  Looking at Rick Lamb’s DNSSEC Deployment Report today I can see that as of yesterday both TLDs had a DS record in the root zone of DNS.

Both will now appear with the “DS In Root” status in our DNSSEC deployment maps that get generated every Monday (and to which all are welcome to subscribe).

What this means is that the TLDs have been signed with DNSSEC and as of yesterday can now participate in the “global chain of trust”. DNSSEC-signed second-level domains under .ES and .HR will now be able to have their signatures validated and confirmed from the root of DNS all the way down to their domains.

Now… I should say that this is technically possible at this point in time.  The DS records for .ES and .HR are now in the root zone.  Second-level domains could be validated from the root all the way down.

However, we can’t tell from external observations whether someone with a .ES domain can provide their DS record up to the .ES TLD – and the same for .HR.  We can’t tell if those registries are allowing DNSSEC signatures from second-level domains.  So it might or might not be possible today… but there is no longer a technical roadblock in the DNS system – it is now up to the TLD registries to allow registrars to submit DNSSEC records for domain registrants.  (And once we can confirm that they are allowing DS records from second-level domains we’ll set their status to “Operational” in the DNSSEC deployment maps.)

Congratulations again to both teams – and if you have registered a .ES or .HR domain, you can now start asking your registrar to find out when you will be able to get the increased security of DNSSEC and try new services like the DANE protocol!

Want to get started with DNSSEC and DANE? Check out our “Start Here” page to find resources tailored to your type of organization – or please let us know if you need additional material.

P.S. In entering the information about .HR for Croatia into our DNSSEC Deployment Map database, I discovered that the status had been previously incorrectly set to “Operational” based on some earlier information that had not been updated.  Croatia has been showing up in that state since the end of March 2014.  We regret that error and now will correctly be showing Croatia as “DS in Root” on the maps that get generated on Monday, July 21, 2014.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Yea! Austria (.AT) and Poland (.PL) Join DNSSEC-Signed TLDs Linked From The Root
Deploy3609 February 2012

Yea! Austria (.AT) and Poland (.PL) Join DNSSEC-Signed TLDs Linked From The Root

Two more top-level-domains (TLDs) joined the global DNSSEC "chain of trust" today! By way of two tweets from @RootChanges we...

Indonesia And Vanuatu Sign .ID and .VU With DNSSEC
Deploy36015 December 2014

Indonesia And Vanuatu Sign .ID and .VU With DNSSEC

We were very pleased to learn this morning that both Indonesia's .ID and Vanuatu's .VU country-code top-level domains (ccTLDs) had...

In September, Singapore and Senegal Signed Their .SN and .SG with DNSSEC
2 November 2016

In September, Singapore and Senegal Signed Their .SN and .SG with DNSSEC

Congratulations to the teams in both Singapore and Senegal for signing their country-code top-level domains (ccTLDs) with DNSSEC back in...

Join the conversation with Internet Society members around the world