For our DNSSEC Deployment Maps and the associated data files, we track five stages of DNSSEC deployment for top-level domains (TLDs).
In this stage, the registry behind the TLD is experimenting with DNSSEC in some way. They may be running an internal trial, a public pilot program or just be known to be experimenting with DNSSEC.
We identify a TLD as being in this stage primarily by observing information or statements from representatives of the TLD indicating that they are doing some work with DNSSEC. This information may be observed from sources such as these:
- messages we see on various mailing lists
- presentations at conferences or events
- participation at DNSSEC training workshops
- blog posts or other online articles
Occasionally, too, a TLD registry may contact us directly and let us know they are experimenting with DNSSEC.
The TLD registry has made a statement publicly committing to deploy DNSSEC and sign the TLD. This could be in the form of a news release, a blog post, a conference presentation or an email from an authoritative representative of the TLD, either directly to us or distributed on one of the various DNS-related mailing lists that exist.
In this stage, the TLD is publicly signed with DNSSEC but the Delegation Signer (DS) record has not yet been published in the root zone of DNS. The TLD registry has gone through the work to have the authoritative name servers publish signed records, but has not yet linked the TLD into the global chain of trust.
Similar to the earlier two stages we typically learn that a TLD is in the “partial” stage by way of observing statements either online or at events. However, unlike the earlier stages, we are then able to confirm the existence of the DNSSEC signatures in the records for the TLD zone.
4. DS in Root
When the root zone of DNS publishes a DS record for a TLD, that TLD is now tied into the “global chain of trust” of DNSSEC and second-level domains under that TLD can now have DNSSEC validation performed on them that will verify the signatures all the way back up to the DNS root.
This is the one stage that we can observe directly ourselves and can also be notified when new DS records are published. We can use some of the DNSSEC Statistics sites to be able to validate this – and sites such as Rick Lamb’s DNSSEC deployment report to know when new DS records are published.
A large number of TLDs in the DNSSEC Deployment Maps, particularly the “new gTLDs” in the data files, are in this “DS in Root” state because it is very easy for us to determine when a TLD enters this stage of deployment.
The final stage of DNSSEC deployment is one in which the TLD registry is now accepting signed delegations from second-level domains, either using a DS record or a DNSKEY record depending upon the TLD policy. It is at this point that a domain registrant can typically work with a registrar and a DNS hosting operator to sign their domain and upload their DS record.
Unfortunately we have no easy way yet to verify that TLDs are in this stage of deployment. Similar to the first three stages, much of our identification of TLDs in this stage occurs through observing information and statements from representatives of the TLD registry or registrars who register domains for that TLD. In some cases the TLD registry itself may have statements on its website or registrars may have information on their sites indicating that they can register domains with DNSSEC for specific TLDs. Some times we do receive email communication from TLDs indicating that they have entered the operational stage of deployment.
For all of the stages, we do encourage TLD registries or registrars to please contact us to let us know the current status of a TLD and particularly whether we have the TLD in the correct stage in our maps and other information.