Just about every Internet communication starts with a Domain Name System (DNS) lookup. The DNS is an essential piece of Internet infrastructure that translates human-friendly names (internetsociety.org) into computer-friendly numbers (2001:41c8:20::b31a).
Like many other components of the Internet, the DNS started out without any security features in a vastly different Internet landscape. Today, security and trustworthiness are vital foundations for the ongoing evolution and growth of a robust Internet that benefits users everywhere. DNS Security Extensions (DNSSEC) was developed to provide an additional level of security using cryptographic techniques to validate the authenticity of DNS information.
We wrote several times about DNSSEC deployment at country-code Top Level Domains (ccTLDs) last year. In those posts we drew attention to the deployment of DNSSEC at the ccTLD services for Fiji, Bahrain, Cyprus, Uzbekistan, Libya and Micronesia. In reviewing 2021 as a whole, there were a total of eight ccTLD DNSSEC deployments which means we have two more to mention – Bouvet Island (.bv) and Dominica (.dm).
Bouvet Island is a Norwegian dependency, and has its own top level domain, .bv. Norid has been the registry for .bv since 1997.
Quoting from the .bv NIC webpage, “The .bv top level domain has never been opened for domain name registrations. If this policy should be changed at a later stage, Norid will undertake a careful evaluation and a consequence analysis of the matter before deciding any changes. Norid will not give away nor sell this top level domain.” Despite it’s non-availability for registrations, it’s nice to see that it is now fully DNSSEC-enabled should that policy ever change.
Quoting from the .dm NIC webpage, “In February 2021, a new opportunity was presented and DotDM Registry partnered with Uniregistry UNR as provider of Registry Backend Service. Work towards deployment of DNSSEC for signing and validation of .dm domain names commenced and was finalized on December 1st, 2021.”
.bv and .dm join 142 other ccTLD domains that are fully DNSSEC capable. There are 104 ccTLD domains that have yet to fully enable DNSSEC. Those unsigned domains are more vulnerable to various kinds of attacks that could result in denial of service for domain registrants, manipulation of data and perhaps most worryingly, theft of authentication credentials.
Signing the domain and installing security keys in the root zone of the DNS is only a first step to more widespread DNSSEC deployment, but it’s an important one. Incentivising registrants to sign their domains is also key, as is encouraging ISPs to enable DNSSEC validation in the recursive resolvers they provide to their subscribers.
You can continue to observe the steady increase in ccTLD DNSSEC adoption and the adoption of DNSSEC validation via our Pulse Enabling Technologies page.