Deploy360 1 December 2014

Australia (.AU) and Grenada (.GD) Are Latest ccTLDs To Sign With DNSSEC

By Dan YorkDirector, Internet Technology

Today’s DNSSEC Deployment Maps have two great new additions for country-code top-level domains (ccTLDs): Australia’s .AU domain and Grenada’s .GD domain both had their DS record published in the root zone of DNS over the past few days.  What this means is that anyone who has registered a domain in .AU or .GD may soon be able to gain the increased security of signing their own domain with DNSSEC and tying it into the “global chain of trust” of DNSSEC.  To be clear, these two ccTLDs have entered the 4th of 5 stages of DNSSEC deployment where the DNSSEC chain of trust now extends from the root of DNS to the ccTLD itself.  The next “Operational” stage is where the ccTLD starts accepting DNSSEC records from registrants.  Hopefully that time will not be far away for both of these ccTLDs.  (To get ready, please visit our Start Here page to find out how you can prepare your organization to work with DNSSEC.)

Given Australia’s large size on a map, the new “DS in Root” bright green shows up wonderfully in the global view:

Global DNSSEC Deployment map as of 1-Dec-2014

and even better in the Asia Pacific view:

Asia Pacific DNSSEC deployment map as of 1-Dec-2014

Unfortunately with the resolution of our maps you can’t really see Grenada on the Latin America map, but I can tell you that it is one of the six ccTLDs in the “DS in Root” stage in the map:

Latin America DNSSEC deployment map as of 1-Dec-2014

Congratulations to the teams at both ccTLD registries!

In the case of Australia’s .AU, the registry organization, auDA, has been experimenting with DNSSEC since back in 2008 and 2010, and signed the .AU zone back in April 2014 (entering into our “Partial” state on the maps).  The news this past week is the culmination of all that work over several years.  AuDA has also published two pages of interest:

We look forward to learning that auDA is accepting DNSSEC records from .AU registrants and enters the fully “Operational” state.

In the case of Grenada, the first we knew was when the DS record was published in the root zone (seen on stats sites like this one). I couldn’t see any further information on, so I don’t know their further plans at this point.  Regardless, it was a wonderful surprise to learn that .GD was signed and had the DS record in the root zone!

In fact, November was a great month for ccTLDs and DNSSEC with Norway’s .NO signing and Ireland’s .IE signing and also entering the “Operational” state.

All great to see!  We’re looking forward to the day when our DNSSEC deployment maps are all green!

If you want to get started with DNSSEC – or just learn more of what it is all about, please visit our Start Here page to find resources tailored for your type of organization or role.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...