CINXE.COM

<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Domain Name System Security Extensions - Wikipedia</title> <script>(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy", "wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"5e0543e8-b551-4c95-92d0-5d7dd09262cf","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Domain_Name_System_Security_Extensions","wgTitle":"Domain Name System Security Extensions","wgCurRevisionId":1255347752,"wgRevisionId":1255347752,"wgArticleId":337389,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["All articles with bare URLs for citations","Articles with bare URLs for citations from March 2022","Articles with PDF format bare URLs for citations","Webarchive template wayback links","Articles with short description","Short description matches Wikidata","All articles with unsourced statements","Articles with unsourced statements from February 2013","Articles containing potentially dated statements from January 2010", "All articles containing potentially dated statements","Articles containing potentially dated statements from July 2010","Articles containing potentially dated statements from November 2011","Wikipedia articles in need of updating from November 2015","All Wikipedia articles in need of updating","Internet Standards","Domain Name System","Domain name system extensions","Public-key cryptography","Key management","Domain Name System Security Extensions"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Domain_Name_System_Security_Extensions","wgRelevantArticleId":337389,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en", "pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":60000,"wgRelatedArticlesCompat":[],"wgCentralAuthMobileDomain":false,"wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId":"Q41609","wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGEStructuredTaskRejectionReasonTextInputEnabled":false,"wgGELevelingUpEnabledForUser":false};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready", "skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.cite.ux-enhancements","site","mediawiki.page.ready","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.gadget.ReferenceTooltips","ext.gadget.switcher","ext.urlShortener.toolbar","ext.centralauth.centralautologin","mmv.bootstrap","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022","ext.checkUser.clientHints","ext.growthExperiments.SuggestedEditSession","wikibase.sidebar.tracking"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&modules=ext.cite.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&only=styles&skin=vector-2022"> <script async="" src="/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&modules=site.styles&only=styles&skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.4"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta name="viewport" content="width=1120"> <meta property="og:title" content="Domain Name System Security Extensions - Wikipedia"> <meta property="og:type" content="website"> <link rel="preconnect" href="//upload.wikimedia.org"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Domain_Name_System_Security_Extensions"> <link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"> <link rel="icon" href="/static/favicon/wikipedia.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"> <link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"> <link rel="canonical" href="https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"> <link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="//login.wikimedia.org"> </head> <body class="skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-Domain_Name_System_Security_Extensions rootpage-Domain_Name_System_Security_Extensions skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-contents" class="mw-list-item"><a href="/wiki/Wikipedia:Contents" title="Guides to browsing Wikipedia"><span>Contents</span></a></li><li id="n-currentevents" class="mw-list-item"><a href="/wiki/Portal:Current_events" title="Articles related to current events"><span>Current events</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Visit a randomly selected article [x]" accesskey="x"><span>Random article</span></a></li><li id="n-aboutsite" class="mw-list-item"><a href="/wiki/Wikipedia:About" title="Learn about Wikipedia and how it works"><span>About Wikipedia</span></a></li><li id="n-contactpage" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us" title="How to contact Wikipedia"><span>Contact us</span></a></li> </ul> </div> </div> <div id="p-interaction" class="vector-menu mw-portlet mw-portlet-interaction" > <div class="vector-menu-heading"> Contribute </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Help:Contents" title="Guidance on how to use and edit Wikipedia"><span>Help</span></a></li><li id="n-introduction" class="mw-list-item"><a href="/wiki/Help:Introduction" title="Learn how to edit Wikipedia"><span>Learn to edit</span></a></li><li id="n-portal" class="mw-list-item"><a href="/wiki/Wikipedia:Community_portal" title="The hub for editors"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes to Wikipedia [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_upload_wizard" title="Add images or other media for use on Wikipedia"><span>Upload file</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/Main_Page" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/wikipedia.png" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="Wikipedia" src="/static/images/mobile/copyright/wikipedia-wordmark-en.svg" style="width: 7.5em; height: 1.125em;"> <img class="mw-logo-tagline" alt="The Free Encyclopedia" src="/static/images/mobile/copyright/wikipedia-tagline-en.svg" width="117" height="13" style="width: 7.3125em; height: 0.8125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search Wikipedia [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia" aria-label="Search Wikipedia" autocapitalize="sentences" title="Search Wikipedia [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page's font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&returnto=Domain+Name+System+Security+Extensions" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&returnto=Domain+Name+System+Security+Extensions" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="Log in and more options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&returnto=Domain+Name+System+Security+Extensions" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&returnto=Domain+Name+System+Security+Extensions" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">(Top)</div> </a> </li> <li id="toc-Overview" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Overview"> <div class="vector-toc-text"> <span class="vector-toc-numb">1</span> <span>Overview</span> </div> </a> <ul id="toc-Overview-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Operation" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Operation"> <div class="vector-toc-text"> <span class="vector-toc-numb">2</span> <span>Operation</span> </div> </a> <button aria-controls="toc-Operation-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Operation subsection</span> </button> <ul id="toc-Operation-sublist" class="vector-toc-list"> <li id="toc-Resource_records" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Resource_records"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.1</span> <span>Resource records</span> </div> </a> <ul id="toc-Resource_records-sublist" class="vector-toc-list"> <li id="toc-Algorithms" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Algorithms"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.1.1</span> <span>Algorithms</span> </div> </a> <ul id="toc-Algorithms-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-The_lookup_procedure" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#The_lookup_procedure"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.2</span> <span>The lookup procedure</span> </div> </a> <ul id="toc-The_lookup_procedure-sublist" class="vector-toc-list"> <li id="toc-Recursive_name_servers" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Recursive_name_servers"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.2.1</span> <span>Recursive name servers</span> </div> </a> <ul id="toc-Recursive_name_servers-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Stub_resolvers" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Stub_resolvers"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.2.2</span> <span>Stub resolvers</span> </div> </a> <ul id="toc-Stub_resolvers-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Trust_anchors_and_authentication_chains" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Trust_anchors_and_authentication_chains"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.3</span> <span>Trust anchors and authentication chains</span> </div> </a> <ul id="toc-Trust_anchors_and_authentication_chains-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Signatures_and_zone_signing" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Signatures_and_zone_signing"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.4</span> <span>Signatures and zone signing</span> </div> </a> <ul id="toc-Signatures_and_zone_signing-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Key_management" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Key_management"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.5</span> <span>Key management</span> </div> </a> <ul id="toc-Key_management-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-DANE_Working_Group" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#DANE_Working_Group"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.6</span> <span>DANE Working Group</span> </div> </a> <ul id="toc-DANE_Working_Group-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-History" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#History"> <div class="vector-toc-text"> <span class="vector-toc-numb">3</span> <span>History</span> </div> </a> <ul id="toc-History-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Authenticating_NXDOMAIN_responses_and_NSEC" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Authenticating_NXDOMAIN_responses_and_NSEC"> <div class="vector-toc-text"> <span class="vector-toc-numb">4</span> <span>Authenticating NXDOMAIN responses and NSEC</span> </div> </a> <button aria-controls="toc-Authenticating_NXDOMAIN_responses_and_NSEC-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Authenticating NXDOMAIN responses and NSEC subsection</span> </button> <ul id="toc-Authenticating_NXDOMAIN_responses_and_NSEC-sublist" class="vector-toc-list"> <li id="toc-Preventing_domain_walking" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Preventing_domain_walking"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.1</span> <span>Preventing domain walking</span> </div> </a> <ul id="toc-Preventing_domain_walking-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Deployment" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Deployment"> <div class="vector-toc-text"> <span class="vector-toc-numb">5</span> <span>Deployment</span> </div> </a> <button aria-controls="toc-Deployment-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Deployment subsection</span> </button> <ul id="toc-Deployment-sublist" class="vector-toc-list"> <li id="toc-Early_deployments" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Early_deployments"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.1</span> <span>Early deployments</span> </div> </a> <ul id="toc-Early_deployments-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Deployment_at_the_DNS_root" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Deployment_at_the_DNS_root"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.2</span> <span>Deployment at the DNS root</span> </div> </a> <ul id="toc-Deployment_at_the_DNS_root-sublist" class="vector-toc-list"> <li id="toc-Planning" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Planning"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.2.1</span> <span>Planning</span> </div> </a> <ul id="toc-Planning-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Implementation" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Implementation"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.2.2</span> <span>Implementation</span> </div> </a> <ul id="toc-Implementation-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Deployment_at_the_TLD_level" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Deployment_at_the_TLD_level"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.3</span> <span>Deployment at the TLD level</span> </div> </a> <ul id="toc-Deployment_at_the_TLD_level-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-DNSSEC_Lookaside_Validation_-_historical" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#DNSSEC_Lookaside_Validation_-_historical"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.4</span> <span>DNSSEC Lookaside Validation - historical</span> </div> </a> <ul id="toc-DNSSEC_Lookaside_Validation_-_historical-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-DNSSEC_deployment_initiative_by_the_U.S._federal_government" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#DNSSEC_deployment_initiative_by_the_U.S._federal_government"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.5</span> <span>DNSSEC deployment initiative by the U.S. federal government</span> </div> </a> <ul id="toc-DNSSEC_deployment_initiative_by_the_U.S._federal_government-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-DNSSEC_deployment_in_the_U.S._federal_government" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#DNSSEC_deployment_in_the_U.S._federal_government"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.6</span> <span>DNSSEC deployment in the U.S. federal government</span> </div> </a> <ul id="toc-DNSSEC_deployment_in_the_U.S._federal_government-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Deployment_in_resolvers" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Deployment_in_resolvers"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.7</span> <span>Deployment in resolvers</span> </div> </a> <ul id="toc-Deployment_in_resolvers-sublist" class="vector-toc-list"> <li id="toc-DNSSEC_support" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#DNSSEC_support"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.7.1</span> <span>DNSSEC support</span> </div> </a> <ul id="toc-DNSSEC_support-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Deployment_in_infrastructure" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Deployment_in_infrastructure"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.8</span> <span>Deployment in infrastructure</span> </div> </a> <ul id="toc-Deployment_in_infrastructure-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Reception" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Reception"> <div class="vector-toc-text"> <span class="vector-toc-numb">6</span> <span>Reception</span> </div> </a> <ul id="toc-Reception-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-IETF_publications" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#IETF_publications"> <div class="vector-toc-text"> <span class="vector-toc-numb">7</span> <span>IETF publications</span> </div> </a> <ul id="toc-IETF_publications-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Tools" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Tools"> <div class="vector-toc-text"> <span class="vector-toc-numb">8</span> <span>Tools</span> </div> </a> <ul id="toc-Tools-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-See_also" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#See_also"> <div class="vector-toc-text"> <span class="vector-toc-numb">9</span> <span>See also</span> </div> </a> <ul id="toc-See_also-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-References" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#References"> <div class="vector-toc-text"> <span class="vector-toc-numb">10</span> <span>References</span> </div> </a> <ul id="toc-References-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Further_reading" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#Further_reading"> <div class="vector-toc-text"> <span class="vector-toc-numb">11</span> <span>Further reading</span> </div> </a> <ul id="toc-Further_reading-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-External_links" class="vector-toc-list-item vector-toc-level-1"> <a class="vector-toc-link" href="#External_links"> <div class="vector-toc-text"> <span class="vector-toc-numb">12</span> <span>External links</span> </div> </a> <ul id="toc-External_links-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="mw-page-title-main">Domain Name System Security Extensions</span></h1> <div id="p-lang-btn" class="vector-dropdown mw-portlet mw-portlet-lang" > <input type="checkbox" id="p-lang-btn-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-p-lang-btn" class="vector-dropdown-checkbox mw-interlanguage-selector" aria-label="Go to an article in another language. Available in 28 languages" > <label id="p-lang-btn-label" for="p-lang-btn-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive mw-portlet-lang-heading-28" aria-hidden="true" ><span class="vector-icon mw-ui-icon-language-progressive mw-ui-icon-wikimedia-language-progressive"></span> <span class="vector-dropdown-label-text">28 languages</span> </label> <div class="vector-dropdown-content"> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="interlanguage-link interwiki-ca mw-list-item"><a href="https://ca.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" title="Domain Name System Security Extensions – Catalan" lang="ca" hreflang="ca" data-title="Domain Name System Security Extensions" data-language-autonym="Català" data-language-local-name="Catalan" class="interlanguage-link-target"><span>Català</span></a></li><li class="interlanguage-link interwiki-cs mw-list-item"><a href="https://cs.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" title="Domain Name System Security Extensions – Czech" lang="cs" hreflang="cs" data-title="Domain Name System Security Extensions" data-language-autonym="Čeština" data-language-local-name="Czech" class="interlanguage-link-target"><span>Čeština</span></a></li><li class="interlanguage-link interwiki-de mw-list-item"><a href="https://de.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" title="Domain Name System Security Extensions – German" lang="de" hreflang="de" data-title="Domain Name System Security Extensions" data-language-autonym="Deutsch" data-language-local-name="German" class="interlanguage-link-target"><span>Deutsch</span></a></li><li class="interlanguage-link interwiki-el mw-list-item"><a href="https://el.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Greek" lang="el" hreflang="el" data-title="DNSSEC" data-language-autonym="Ελληνικά" data-language-local-name="Greek" class="interlanguage-link-target"><span>Ελληνικά</span></a></li><li class="interlanguage-link interwiki-es mw-list-item"><a href="https://es.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" title="Domain Name System Security Extensions – Spanish" lang="es" hreflang="es" data-title="Domain Name System Security Extensions" data-language-autonym="Español" data-language-local-name="Spanish" class="interlanguage-link-target"><span>Español</span></a></li><li class="interlanguage-link interwiki-eo mw-list-item"><a href="https://eo.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Esperanto" lang="eo" hreflang="eo" data-title="DNSSEC" data-language-autonym="Esperanto" data-language-local-name="Esperanto" class="interlanguage-link-target"><span>Esperanto</span></a></li><li class="interlanguage-link interwiki-eu mw-list-item"><a href="https://eu.wikipedia.org/wiki/DnsSec" title="DnsSec – Basque" lang="eu" hreflang="eu" data-title="DnsSec" data-language-autonym="Euskara" data-language-local-name="Basque" class="interlanguage-link-target"><span>Euskara</span></a></li><li class="interlanguage-link interwiki-fa mw-list-item"><a href="https://fa.wikipedia.org/wiki/%D8%B6%D9%85%DB%8C%D9%85%D9%87%E2%80%8C%D9%87%D8%A7%DB%8C_%D8%A7%D9%85%D9%86%DB%8C%D8%AA%DB%8C_%D8%B3%D8%A7%D9%85%D8%A7%D9%86%D9%87_%D9%86%D8%A7%D9%85_%D8%AF%D8%A7%D9%85%D9%86%D9%87" title="ضمیمه‌های امنیتی سامانه نام دامنه – Persian" lang="fa" hreflang="fa" data-title="ضمیمه‌های امنیتی سامانه نام دامنه" data-language-autonym="فارسی" data-language-local-name="Persian" class="interlanguage-link-target"><span>فارسی</span></a></li><li class="interlanguage-link interwiki-fr mw-list-item"><a href="https://fr.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" title="Domain Name System Security Extensions – French" lang="fr" hreflang="fr" data-title="Domain Name System Security Extensions" data-language-autonym="Français" data-language-local-name="French" class="interlanguage-link-target"><span>Français</span></a></li><li class="interlanguage-link interwiki-ko mw-list-item"><a href="https://ko.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Korean" lang="ko" hreflang="ko" data-title="DNSSEC" data-language-autonym="한국어" data-language-local-name="Korean" class="interlanguage-link-target"><span>한국어</span></a></li><li class="interlanguage-link interwiki-hy mw-list-item"><a href="https://hy.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Armenian" lang="hy" hreflang="hy" data-title="DNSSEC" data-language-autonym="Հայերեն" data-language-local-name="Armenian" class="interlanguage-link-target"><span>Հայերեն</span></a></li><li class="interlanguage-link interwiki-id mw-list-item"><a href="https://id.wikipedia.org/wiki/Sambungan_Keselamatan_Sistem_Nama_Domain" title="Sambungan Keselamatan Sistem Nama Domain – Indonesian" lang="id" hreflang="id" data-title="Sambungan Keselamatan Sistem Nama Domain" data-language-autonym="Bahasa Indonesia" data-language-local-name="Indonesian" class="interlanguage-link-target"><span>Bahasa Indonesia</span></a></li><li class="interlanguage-link interwiki-it mw-list-item"><a href="https://it.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Italian" lang="it" hreflang="it" data-title="DNSSEC" data-language-autonym="Italiano" data-language-local-name="Italian" class="interlanguage-link-target"><span>Italiano</span></a></li><li class="interlanguage-link interwiki-ky mw-list-item"><a href="https://ky.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Kyrgyz" lang="ky" hreflang="ky" data-title="DNSSEC" data-language-autonym="Кыргызча" data-language-local-name="Kyrgyz" class="interlanguage-link-target"><span>Кыргызча</span></a></li><li class="interlanguage-link interwiki-hu mw-list-item"><a href="https://hu.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" title="Domain Name System Security Extensions – Hungarian" lang="hu" hreflang="hu" data-title="Domain Name System Security Extensions" data-language-autonym="Magyar" data-language-local-name="Hungarian" class="interlanguage-link-target"><span>Magyar</span></a></li><li class="interlanguage-link interwiki-ms mw-list-item"><a href="https://ms.wikipedia.org/wiki/Sambungan_Keselamatan_Sistem_Nama_Domain" title="Sambungan Keselamatan Sistem Nama Domain – Malay" lang="ms" hreflang="ms" data-title="Sambungan Keselamatan Sistem Nama Domain" data-language-autonym="Bahasa Melayu" data-language-local-name="Malay" class="interlanguage-link-target"><span>Bahasa Melayu</span></a></li><li class="interlanguage-link interwiki-nl mw-list-item"><a href="https://nl.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Dutch" lang="nl" hreflang="nl" data-title="DNSSEC" data-language-autonym="Nederlands" data-language-local-name="Dutch" class="interlanguage-link-target"><span>Nederlands</span></a></li><li class="interlanguage-link interwiki-ja mw-list-item"><a href="https://ja.wikipedia.org/wiki/DNS_Security_Extensions" title="DNS Security Extensions – Japanese" lang="ja" hreflang="ja" data-title="DNS Security Extensions" data-language-autonym="日本語" data-language-local-name="Japanese" class="interlanguage-link-target"><span>日本語</span></a></li><li class="interlanguage-link interwiki-uz mw-list-item"><a href="https://uz.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Uzbek" lang="uz" hreflang="uz" data-title="DNSSEC" data-language-autonym="Oʻzbekcha / ўзбекча" data-language-local-name="Uzbek" class="interlanguage-link-target"><span>Oʻzbekcha / ўзбекча</span></a></li><li class="interlanguage-link interwiki-pl mw-list-item"><a href="https://pl.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Polish" lang="pl" hreflang="pl" data-title="DNSSEC" data-language-autonym="Polski" data-language-local-name="Polish" class="interlanguage-link-target"><span>Polski</span></a></li><li class="interlanguage-link interwiki-pt mw-list-item"><a href="https://pt.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Portuguese" lang="pt" hreflang="pt" data-title="DNSSEC" data-language-autonym="Português" data-language-local-name="Portuguese" class="interlanguage-link-target"><span>Português</span></a></li><li class="interlanguage-link interwiki-ru mw-list-item"><a href="https://ru.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Russian" lang="ru" hreflang="ru" data-title="DNSSEC" data-language-autonym="Русский" data-language-local-name="Russian" class="interlanguage-link-target"><span>Русский</span></a></li><li class="interlanguage-link interwiki-simple mw-list-item"><a href="https://simple.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" title="Domain Name System Security Extensions – Simple English" lang="en-simple" hreflang="en-simple" data-title="Domain Name System Security Extensions" data-language-autonym="Simple English" data-language-local-name="Simple English" class="interlanguage-link-target"><span>Simple English</span></a></li><li class="interlanguage-link interwiki-fi mw-list-item"><a href="https://fi.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Finnish" lang="fi" hreflang="fi" data-title="DNSSEC" data-language-autonym="Suomi" data-language-local-name="Finnish" class="interlanguage-link-target"><span>Suomi</span></a></li><li class="interlanguage-link interwiki-sv mw-list-item"><a href="https://sv.wikipedia.org/wiki/DNS#DNSSEC" title="DNS – Swedish" lang="sv" hreflang="sv" data-title="DNS" data-language-autonym="Svenska" data-language-local-name="Swedish" class="interlanguage-link-target"><span>Svenska</span></a></li><li class="interlanguage-link interwiki-tr mw-list-item"><a href="https://tr.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Turkish" lang="tr" hreflang="tr" data-title="DNSSEC" data-language-autonym="Türkçe" data-language-local-name="Turkish" class="interlanguage-link-target"><span>Türkçe</span></a></li><li class="interlanguage-link interwiki-uk mw-list-item"><a href="https://uk.wikipedia.org/wiki/DNSSEC" title="DNSSEC – Ukrainian" lang="uk" hreflang="uk" data-title="DNSSEC" data-language-autonym="Українська" data-language-local-name="Ukrainian" class="interlanguage-link-target"><span>Українська</span></a></li><li class="interlanguage-link interwiki-zh mw-list-item"><a href="https://zh.wikipedia.org/wiki/%E5%9F%9F%E5%90%8D%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E6%89%A9%E5%B1%95" title="域名系统安全扩展 – Chinese" lang="zh" hreflang="zh" data-title="域名系统安全扩展" data-language-autonym="中文" data-language-local-name="Chinese" class="interlanguage-link-target"><span>中文</span></a></li> </ul> <div class="after-portlet after-portlet-lang"><span class="wb-langlinks-edit wb-langlinks-link"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q41609#sitelinks-wikipedia" title="Edit interlanguage links" class="wbc-editpage">Edit links</a></span></div> </div> </div> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Domain_Name_System_Security_Extensions" title="View the content page [c]" accesskey="c"><span>Article</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Domain_Name_System_Security_Extensions" rel="discussion" title="Discuss improvements to the content page [t]" accesskey="t"><span>Talk</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Domain_Name_System_Security_Extensions"><span>Read</span></a></li><li id="ca-edit" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Domain_Name_System_Security_Extensions"><span>Read</span></a></li><li id="ca-more-edit" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Domain_Name_System_Security_Extensions" title="List of all English Wikipedia pages containing links to this page [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Domain_Name_System_Security_Extensions" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_Upload_Wizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q"><span>Special pages</span></a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&oldid=1255347752" title="Permanent link to this revision of this page"><span>Permanent link</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&page=Domain_Name_System_Security_Extensions&id=1255347752&wpFormIdentifier=titleform" title="Information on how to cite this page"><span>Cite this page</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FDomain_Name_System_Security_Extensions"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FDomain_Name_System_Security_Extensions"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&page=Domain_Name_System_Security_Extensions&action=show-download-screen" title="Download this page as a PDF file"><span>Download as PDF</span></a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&printable=yes" title="Printable version of this page [p]" accesskey="p"><span>Printable version</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="wb-otherproject-link wb-otherproject-commons mw-list-item"><a href="https://commons.wikimedia.org/wiki/Category:DNSSEC" hreflang="en"><span>Wikimedia Commons</span></a></li><li id="t-wikibase" class="wb-otherproject-link wb-otherproject-wikibase-dataitem mw-list-item"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q41609" title="Structured data on this page hosted by Wikidata [g]" accesskey="g"><span>Wikidata item</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div class="mw-indicators"> </div> <div id="siteSub" class="noprint">From Wikipedia, the free encyclopedia</div> </div> <div id="contentSub"><div id="mw-content-subtitle"></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="shortdescription nomobile noexcerpt noprint searchaux" style="display:none">Suite of IETF specifications for securing certain kinds of information provided by DNS</div> <style data-mw-deduplicate="TemplateStyles:r1129693374">.mw-parser-output .hlist dl,.mw-parser-output .hlist ol,.mw-parser-output .hlist ul{margin:0;padding:0}.mw-parser-output .hlist dd,.mw-parser-output .hlist dt,.mw-parser-output .hlist li{margin:0;display:inline}.mw-parser-output .hlist.inline,.mw-parser-output .hlist.inline dl,.mw-parser-output .hlist.inline ol,.mw-parser-output .hlist.inline ul,.mw-parser-output .hlist dl dl,.mw-parser-output .hlist dl ol,.mw-parser-output .hlist dl ul,.mw-parser-output .hlist ol dl,.mw-parser-output .hlist ol ol,.mw-parser-output .hlist ol ul,.mw-parser-output .hlist ul dl,.mw-parser-output .hlist ul ol,.mw-parser-output .hlist ul ul{display:inline}.mw-parser-output .hlist .mw-empty-li{display:none}.mw-parser-output .hlist dt::after{content:": "}.mw-parser-output .hlist dd::after,.mw-parser-output .hlist li::after{content:" · ";font-weight:bold}.mw-parser-output .hlist dd:last-child::after,.mw-parser-output .hlist dt:last-child::after,.mw-parser-output .hlist li:last-child::after{content:none}.mw-parser-output .hlist dd dd:first-child::before,.mw-parser-output .hlist dd dt:first-child::before,.mw-parser-output .hlist dd li:first-child::before,.mw-parser-output .hlist dt dd:first-child::before,.mw-parser-output .hlist dt dt:first-child::before,.mw-parser-output .hlist dt li:first-child::before,.mw-parser-output .hlist li dd:first-child::before,.mw-parser-output .hlist li dt:first-child::before,.mw-parser-output .hlist li li:first-child::before{content:" (";font-weight:normal}.mw-parser-output .hlist dd dd:last-child::after,.mw-parser-output .hlist dd dt:last-child::after,.mw-parser-output .hlist dd li:last-child::after,.mw-parser-output .hlist dt dd:last-child::after,.mw-parser-output .hlist dt dt:last-child::after,.mw-parser-output .hlist dt li:last-child::after,.mw-parser-output .hlist li dd:last-child::after,.mw-parser-output .hlist li dt:last-child::after,.mw-parser-output .hlist li li:last-child::after{content:")";font-weight:normal}.mw-parser-output .hlist ol{counter-reset:listitem}.mw-parser-output .hlist ol>li{counter-increment:listitem}.mw-parser-output .hlist ol>li::before{content:" "counter(listitem)"\a0 "}.mw-parser-output .hlist dd ol>li:first-child::before,.mw-parser-output .hlist dt ol>li:first-child::before,.mw-parser-output .hlist li ol>li:first-child::before{content:" ("counter(listitem)"\a0 "}</style><style data-mw-deduplicate="TemplateStyles:r1246091330">.mw-parser-output .sidebar{width:22em;float:right;clear:right;margin:0.5em 0 1em 1em;background:var(--background-color-neutral-subtle,#f8f9fa);border:1px solid var(--border-color-base,#a2a9b1);padding:0.2em;text-align:center;line-height:1.4em;font-size:88%;border-collapse:collapse;display:table}body.skin-minerva .mw-parser-output .sidebar{display:table!important;float:right!important;margin:0.5em 0 1em 1em!important}.mw-parser-output .sidebar-subgroup{width:100%;margin:0;border-spacing:0}.mw-parser-output .sidebar-left{float:left;clear:left;margin:0.5em 1em 1em 0}.mw-parser-output .sidebar-none{float:none;clear:both;margin:0.5em 1em 1em 0}.mw-parser-output .sidebar-outer-title{padding:0 0.4em 0.2em;font-size:125%;line-height:1.2em;font-weight:bold}.mw-parser-output .sidebar-top-image{padding:0.4em}.mw-parser-output .sidebar-top-caption,.mw-parser-output .sidebar-pretitle-with-top-image,.mw-parser-output .sidebar-caption{padding:0.2em 0.4em 0;line-height:1.2em}.mw-parser-output .sidebar-pretitle{padding:0.4em 0.4em 0;line-height:1.2em}.mw-parser-output .sidebar-title,.mw-parser-output .sidebar-title-with-pretitle{padding:0.2em 0.8em;font-size:145%;line-height:1.2em}.mw-parser-output .sidebar-title-with-pretitle{padding:0.1em 0.4em}.mw-parser-output .sidebar-image{padding:0.2em 0.4em 0.4em}.mw-parser-output .sidebar-heading{padding:0.1em 0.4em}.mw-parser-output .sidebar-content{padding:0 0.5em 0.4em}.mw-parser-output .sidebar-content-with-subgroup{padding:0.1em 0.4em 0.2em}.mw-parser-output .sidebar-above,.mw-parser-output .sidebar-below{padding:0.3em 0.8em;font-weight:bold}.mw-parser-output .sidebar-collapse .sidebar-above,.mw-parser-output .sidebar-collapse .sidebar-below{border-top:1px solid #aaa;border-bottom:1px solid #aaa}.mw-parser-output .sidebar-navbar{text-align:right;font-size:115%;padding:0 0.4em 0.4em}.mw-parser-output .sidebar-list-title{padding:0 0.4em;text-align:left;font-weight:bold;line-height:1.6em;font-size:105%}.mw-parser-output .sidebar-list-title-c{padding:0 0.4em;text-align:center;margin:0 3.3em}@media(max-width:640px){body.mediawiki .mw-parser-output .sidebar{width:100%!important;clear:both;float:none!important;margin-left:0!important;margin-right:0!important}}body.skin--responsive .mw-parser-output .sidebar a>img{max-width:none!important}@media screen{html.skin-theme-clientpref-night .mw-parser-output .sidebar:not(.notheme) .sidebar-list-title,html.skin-theme-clientpref-night .mw-parser-output .sidebar:not(.notheme) .sidebar-title-with-pretitle{background:transparent!important}html.skin-theme-clientpref-night .mw-parser-output .sidebar:not(.notheme) .sidebar-title-with-pretitle a{color:var(--color-progressive)!important}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .sidebar:not(.notheme) .sidebar-list-title,html.skin-theme-clientpref-os .mw-parser-output .sidebar:not(.notheme) .sidebar-title-with-pretitle{background:transparent!important}html.skin-theme-clientpref-os .mw-parser-output .sidebar:not(.notheme) .sidebar-title-with-pretitle a{color:var(--color-progressive)!important}}@media print{body.ns-0 .mw-parser-output .sidebar{display:none!important}}</style><table class="sidebar nomobile nowraplinks" style="padding:0.5em 0.66em;"><tbody><tr><th class="sidebar-title" style="line-height:1.1em;padding-bottom:0.33em;"><a href="/wiki/Internet_security" title="Internet security">Internet security<br />protocols</a></th></tr><tr><th class="sidebar-heading" style="font-weight:normal;"> Key management</th></tr><tr><td class="sidebar-content hlist"> <ul><li><a href="/wiki/Kerberos_(protocol)" title="Kerberos (protocol)">Kerberos</a></li> <li><a href="/wiki/Resource_Public_Key_Infrastructure" title="Resource Public Key Infrastructure">RPKI</a></li> <li><a href="/wiki/PKIX" class="mw-redirect" title="PKIX">PKIX</a></li> <li><a href="/wiki/Web_of_trust" title="Web of trust">Web of trust</a></li> <li><a href="/wiki/X.509" title="X.509">X.509</a></li> <li><a href="/wiki/XKMS" title="XKMS">XKMS</a></li></ul></td> </tr><tr><th class="sidebar-heading" style="font-weight:normal;"> Application layer</th></tr><tr><td class="sidebar-content hlist"> <ul><li><a href="/wiki/DomainKeys_Identified_Mail" title="DomainKeys Identified Mail">DKIM</a></li> <li><a href="/wiki/DMARC" title="DMARC">DMARC</a></li> <li><a href="/wiki/HTTPS" title="HTTPS">HTTPS</a></li> <li><a href="/wiki/Pretty_Good_Privacy" title="Pretty Good Privacy">PGP</a></li> <li><a href="/wiki/Sender_ID" title="Sender ID">Sender ID</a></li> <li><a href="/wiki/Sender_Policy_Framework" title="Sender Policy Framework">SPF</a></li> <li><a href="/wiki/S/MIME" title="S/MIME">S/MIME</a></li> <li><a href="/wiki/SSH" class="mw-redirect" title="SSH">SSH</a></li> <li><a href="/wiki/Transport_Layer_Security" title="Transport Layer Security">TLS/SSL</a></li></ul></td> </tr><tr><th class="sidebar-heading" style="font-weight:normal;"> Domain Name System</th></tr><tr><td class="sidebar-content hlist"> <ul><li><a href="/wiki/DNS-based_Authentication_of_Named_Entities" title="DNS-based Authentication of Named Entities">DANE</a></li> <li><a class="mw-selflink selflink">DNSSEC</a></li> <li><a href="/wiki/DNS_over_HTTPS" title="DNS over HTTPS">DNS over HTTPS</a></li> <li><a href="/wiki/DNS_over_TLS" title="DNS over TLS">DNS over TLS</a></li> <li><a href="/wiki/DNS_Certification_Authority_Authorization" title="DNS Certification Authority Authorization">CAA</a></li></ul></td> </tr><tr><th class="sidebar-heading" style="font-weight:normal;"> Internet Layer</th></tr><tr><td class="sidebar-content hlist"> <ul><li><a href="/wiki/Internet_Key_Exchange" title="Internet Key Exchange">IKE</a></li> <li><a href="/wiki/IPsec" title="IPsec">IPsec</a></li> <li><a href="/wiki/Layer_2_Tunneling_Protocol" title="Layer 2 Tunneling Protocol">L2TP</a></li> <li><a href="/wiki/OpenVPN" title="OpenVPN">OpenVPN</a></li> <li><a href="/wiki/Point-to-Point_Tunneling_Protocol" title="Point-to-Point Tunneling Protocol">PPTP</a></li> <li><a href="/wiki/WireGuard" title="WireGuard">WireGuard</a></li></ul></td> </tr><tr><td class="sidebar-navbar"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374"><style data-mw-deduplicate="TemplateStyles:r1239400231">.mw-parser-output .navbar{display:inline;font-size:88%;font-weight:normal}.mw-parser-output .navbar-collapse{float:left;text-align:left}.mw-parser-output .navbar-boxtext{word-spacing:0}.mw-parser-output .navbar ul{display:inline-block;white-space:nowrap;line-height:inherit}.mw-parser-output .navbar-brackets::before{margin-right:-0.125em;content:"[ "}.mw-parser-output .navbar-brackets::after{margin-left:-0.125em;content:" ]"}.mw-parser-output .navbar li{word-spacing:-0.125em}.mw-parser-output .navbar a>span,.mw-parser-output .navbar a>abbr{text-decoration:inherit}.mw-parser-output .navbar-mini abbr{font-variant:small-caps;border-bottom:none;text-decoration:none;cursor:inherit}.mw-parser-output .navbar-ct-full{font-size:114%;margin:0 7em}.mw-parser-output .navbar-ct-mini{font-size:114%;margin:0 4em}html.skin-theme-clientpref-night .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}@media(prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}}@media print{.mw-parser-output .navbar{display:none!important}}</style><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Internet_security_protocols" title="Template:Internet security protocols"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Internet_security_protocols" title="Template talk:Internet security protocols"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Internet_security_protocols" title="Special:EditPage/Template:Internet security protocols"><abbr title="Edit this template">e</abbr></a></li></ul></div></td></tr></tbody></table> <p>The <b>Domain Name System Security Extensions</b> (<b>DNSSEC</b>) is a suite of <a href="/wiki/Extension_Mechanisms_for_DNS" title="Extension Mechanisms for DNS">extension</a> specifications by the <a href="/wiki/Internet_Engineering_Task_Force" title="Internet Engineering Task Force">Internet Engineering Task Force</a> (IETF) for securing data exchanged in the <a href="/wiki/Domain_Name_System" title="Domain Name System">Domain Name System</a> (<a href="/wiki/DNS_hijacking" title="DNS hijacking">DNS</a>) in <a href="/wiki/Internet_Protocol" title="Internet Protocol">Internet Protocol</a> (<a href="/wiki/IPv6" title="IPv6">IP</a>) <a href="/wiki/Networks_and_States" title="Networks and States">networks</a>. The protocol provides <a href="/wiki/Message_authentication" title="Message authentication">cryptographic authentication</a> of data, <a href="/wiki/SOCKS" title="SOCKS">authenticated</a> denial of existence, and data <a href="/wiki/Information_security#Integrity" title="Information security">integrity</a>, but not <a href="/wiki/Information_security#Availability" title="Information security">availability</a> or <a href="/wiki/Information_security#Confidentiality" title="Information security">confidentiality</a>. </p> <meta property="mw:PageProp/toc" /> <div class="mw-heading mw-heading2"><h2 id="Overview">Overview</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=1" title="Edit section: Overview"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The original design of the Domain Name System did not include any security features. It was conceived only as a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempt to add security, while maintaining <a href="/wiki/Backward_compatibility" title="Backward compatibility">backward compatibility</a>. <style data-mw-deduplicate="TemplateStyles:r1238218222">.mw-parser-output cite.citation{font-style:inherit;word-wrap:break-word}.mw-parser-output .citation q{quotes:"\"""\"""'""'"}.mw-parser-output .citation:target{background-color:rgba(0,127,255,0.133)}.mw-parser-output .id-lock-free.id-lock-free a{background:url("//upload.wikimedia.org/wikipedia/commons/6/65/Lock-green.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-limited.id-lock-limited a,.mw-parser-output .id-lock-registration.id-lock-registration a{background:url("//upload.wikimedia.org/wikipedia/commons/d/d6/Lock-gray-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-subscription.id-lock-subscription a{background:url("//upload.wikimedia.org/wikipedia/commons/a/aa/Lock-red-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .cs1-ws-icon a{background:url("//upload.wikimedia.org/wikipedia/commons/4/4c/Wikisource-logo.svg")right 0.1em center/12px no-repeat}body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-free a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-limited a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-registration a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-subscription a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .cs1-ws-icon a{background-size:contain;padding:0 1em 0 0}.mw-parser-output .cs1-code{color:inherit;background:inherit;border:none;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;color:var(--color-error,#d33)}.mw-parser-output .cs1-visible-error{color:var(--color-error,#d33)}.mw-parser-output .cs1-maint{display:none;color:#085;margin-left:0.3em}.mw-parser-output .cs1-kern-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right{padding-right:0.2em}.mw-parser-output .citation .mw-selflink{font-weight:inherit}@media screen{.mw-parser-output .cs1-format{font-size:95%}html.skin-theme-clientpref-night .mw-parser-output .cs1-maint{color:#18911f}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .cs1-maint{color:#18911f}}</style><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3833">3833</a> of 2004 documents some of the known threats to the DNS, and their solutions in DNSSEC. </p><p>DNSSEC was designed to protect applications using DNS from accepting forged or manipulated DNS data, such as that created by <a href="/wiki/DNS_cache_poisoning" class="mw-redirect" title="DNS cache poisoning">DNS cache poisoning</a>. All answers from DNSSEC protected zones are <a href="/wiki/Digital_signature" title="Digital signature">digitally signed</a>.<sup id="cite_ref-1" class="reference"><a href="#cite_note-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect any data published in the DNS, including text records (TXT) and mail exchange records (MX), and can be used to bootstrap other security systems that publish references to cryptographic certificates stored in the DNS such as Certificate Records (<a href="/wiki/CERT_record" class="mw-redirect" title="CERT record">CERT records</a>, <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4398">4398</a>), <a href="/wiki/Secure_Shell" title="Secure Shell">SSH</a> fingerprints (<a href="/wiki/SSHFP_record" title="SSHFP record">SSHFP</a>, <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4255">4255</a>), <a href="/wiki/IPSec" class="mw-redirect" title="IPSec">IPSec</a> public keys (IPSECKEY, <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4025">4025</a>), <a href="/wiki/Transport_Layer_Security" title="Transport Layer Security">TLS</a> Trust Anchors (<a href="/wiki/TLSA" class="mw-redirect" title="TLSA">TLSA</a>, <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6698">6698</a>), or Encrypted Client Hello (SVCB/HTTPS records for ECH <sup id="cite_ref-2" class="reference"><a href="#cite_note-2"><span class="cite-bracket">[</span>2<span class="cite-bracket">]</span></a></sup> <sup id="cite_ref-3" class="reference"><a href="#cite_note-3"><span class="cite-bracket">[</span>3<span class="cite-bracket">]</span></a></sup>). </p><p>DNSSEC <i>does not</i> provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted. DNSSEC <i>does not</i> protect against <a href="/wiki/Denial_of_service" class="mw-redirect" title="Denial of service">DoS</a> attacks directly, though it indirectly provides some benefit (because signature checking allows the use of potentially untrustworthy parties).<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="This claim needs references to reliable sources. (February 2013)">citation needed</span></a></i>]</sup> </p><p>Other standards (not DNSSEC) are used to secure bulk data (such as a <a href="/wiki/DNS_zone_transfer" title="DNS zone transfer">DNS zone transfer</a>) sent between DNS servers. As documented in <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4367">4367</a>, some users and developers make false assumptions about DNS names, such as assuming that a company's common name plus ".com" is always its domain name. DNSSEC cannot protect against false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="This claim needs references to reliable sources. (February 2013)">citation needed</span></a></i>]</sup> </p><p>The DNSSEC specifications (called <i>DNSSEC-bis</i>) describe the current DNSSEC protocol in great detail. See <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4033">4033</a>, <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4034">4034</a>, and <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4035">4035</a>. With the publication of these new RFCs (March 2005), an earlier RFC, <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2535">2535</a> has become obsolete. The full set of RFCs that specify DNSSEC are collected in <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc9364">9364</a>, which is also <a href="/wiki/Request_for_Comments#Best_Current_Practice" title="Request for Comments">BCP</a> 237. </p><p>It is widely believed<sup id="cite_ref-4" class="reference"><a href="#cite_note-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup> that securing the DNS is critically important for securing the Internet as a whole, but deployment of DNSSEC specifically has been hampered (As of 22 January 2010<sup class="plainlinks noexcerpt noprint asof-tag update" style="display:none;"><a class="external text" href="https://en.wikipedia.org/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit">[update]</a></sup>) by several difficulties: </p> <ul><li>The need to design a backward-compatible standard that can scale to the size of the Internet</li> <li>Prevention of "zone enumeration" where desired</li> <li>Deployment of DNSSEC implementations across a wide variety of DNS servers and resolvers (clients)</li> <li>Disagreement among implementers over who should own the <a href="/wiki/Top-level_domain" title="Top-level domain">top-level domain</a> root keys</li> <li>Overcoming the perceived complexity of DNSSEC and DNSSEC deployment</li></ul> <div class="mw-heading mw-heading2"><h2 id="Operation">Operation</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=2" title="Edit section: Operation"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>DNSSEC works by <a href="/wiki/Digital_signature" title="Digital signature">digitally signing</a> records for DNS lookup using <a href="/wiki/Public-key_cryptography" title="Public-key cryptography">public-key cryptography</a>. The correct DNSKEY record is authenticated via a <a href="/wiki/Chain_of_trust" title="Chain of trust">chain of trust</a>, starting with a set of verified public keys for the <a href="/wiki/DNS_root_zone" title="DNS root zone">DNS root zone</a> which is the <a href="/wiki/Trusted_third_party" title="Trusted third party">trusted third party</a>. Domain owners generate their own keys, and upload them using their DNS control panel at their domain-name registrar, which in turn pushes the keys via secDNS to the zone operator (e.g., Verisign for .com) who signs and publishes them in DNS. </p> <div class="mw-heading mw-heading3"><h3 id="Resource_records">Resource records</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=3" title="Edit section: Resource records"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>DNS is implemented by the use of several resource records. To implement DNSSEC, several new <a href="/wiki/List_of_DNS_record_types" title="List of DNS record types">DNS record types</a> were created or adapted to use with DNSSEC: </p> <dl><dt>RRSIG (resource record signature)</dt> <dd>Contains the DNSSEC signature for a record set. DNS resolvers verify the signature with a public key, stored in a DNSKEY record.</dd> <dt>DNSKEY</dt> <dd>Contains the public key that a DNS resolver uses to verify DNSSEC signatures in RRSIG records.</dd> <dt>DS (delegation signer)</dt> <dd>Holds the name of a delegated zone. References a DNSKEY record in the sub-delegated zone. The DS record is placed in the parent zone along with the delegating NS records.</dd> <dt>NSEC (next secure record)</dt> <dd>Contains a link to the next record name in the zone and lists the record types that exist for the record's name. DNS resolvers use NSEC records to verify the non-existence of a record name and type as part of DNSSEC validation.</dd> <dt>NSEC3 (next secure record version 3)</dt> <dd>Contains links to the next record name in the zone (in hashed name sorting order) and lists the record types that exist for the name covered by the hash value in the first label of the NSEC3 record's own name. These records can be used by resolvers to verify the non-existence of a record name and type as part of DNSSEC validation. NSEC3 records are similar to NSEC records, but NSEC3 uses cryptographically hashed record names to avoid the enumeration of the record names in a zone.</dd> <dt>NSEC3PARAM (next secure record version 3 parameters)</dt> <dd>Authoritative DNS servers use this record to calculate and determine which NSEC3 records to include in responses to DNSSEC requests for non-existing names/types.</dd></dl> <p>When DNSSEC is used, each answer to a DNS lookup contains an RRSIG DNS record, in addition to the record type that was requested. The RRSIG record is a digital signature of the answer <a href="/wiki/DNS" class="mw-redirect" title="DNS">DNS</a> resource record set. The digital signature is verified by locating the correct public key found in a DNSKEY record. The NSEC and NSEC3 records are used to provide cryptographic evidence of the non-existence of any Resource Record (RR). The DS record is used in the authentication of DNSKEYs in the lookup procedure using the chain of trust. NSEC and NSEC3 records are used for robust resistance against spoofing. </p> <div class="mw-heading mw-heading4"><h4 id="Algorithms">Algorithms</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=4" title="Edit section: Algorithms"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>DNSSEC was designed to be extensible so that as attacks are discovered against existing algorithms, new ones can be introduced in a <a href="/wiki/Backward-compatible" class="mw-redirect" title="Backward-compatible">backward-compatible</a> fashion as described in <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc8624">8624</a>. The following table defines, as of June 2019, the security algorithms that are or were most often used:<sup id="cite_ref-5" class="reference"><a href="#cite_note-5"><span class="cite-bracket">[</span>5<span class="cite-bracket">]</span></a></sup> </p> <table class="wikitable"> <tbody><tr> <th>Algorithm field </th> <th>Algorithm </th> <th>Source </th> <th>DNSSEC Signing </th> <th>DNSSEC Validation </th></tr> <tr> <td>1</td> <td><a href="/wiki/RSA_(algorithm)" class="mw-redirect" title="RSA (algorithm)">RSA</a>/<a href="/wiki/MD5" title="MD5">MD5</a></td> <td></td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Must Not Implement</td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Must Not Implement </td></tr> <tr> <td>3</td> <td><a href="/wiki/Digital_Signature_Algorithm" title="Digital Signature Algorithm">DSA</a>/<a href="/wiki/SHA-1" title="SHA-1">SHA-1</a></td> <td></td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Must Not Implement</td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Must Not Implement </td></tr> <tr> <td>5</td> <td>RSA/SHA-1</td> <td><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3110">3110</a></td> <td style="background: #FFE3E3; color: black; vertical-align: middle; text-align: center;" class="table-no2">Not Recommended</td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required </td></tr> <tr> <td>6</td> <td>DSA-NSEC3-SHA1</td> <td></td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Must Not Implement</td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Must Not Implement </td></tr> <tr> <td>7</td> <td>RSASHA1-NSEC3-SHA1</td> <td><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5155">5155</a></td> <td style="background: #FFE3E3; color: black; vertical-align: middle; text-align: center;" class="table-no2">Not Recommended</td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required </td></tr> <tr> <td>8</td> <td>RSA/<a href="/wiki/SHA-2" title="SHA-2">SHA-256</a></td> <td rowspan="2"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5702">5702</a></td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required</td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required </td></tr> <tr> <td>10</td> <td>RSA/<a href="/wiki/SHA-2" title="SHA-2">SHA-512</a></td> <td style="background: #FFE3E3; color: black; vertical-align: middle; text-align: center;" class="table-no2">Not Recommended</td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required </td></tr> <tr> <td>12</td> <td><a href="/wiki/GOST" title="GOST">GOST</a> <a href="/wiki/GOST_(hash_function)" title="GOST (hash function)">R 34.10-2001</a></td> <td><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5933">5933</a></td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Must Not Implement</td> <td style="background: #FFD; color:black; vertical-align: middle; text-align: center;" class="partial table-partial">Optional </td></tr> <tr> <td>13</td> <td><a href="/wiki/Elliptic_Curve_DSA" class="mw-redirect" title="Elliptic Curve DSA">ECDSA</a> P-256/<a href="/wiki/SHA-2" title="SHA-2">SHA-256</a></td> <td rowspan="2"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6605">6605</a></td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required</td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required </td></tr> <tr> <td>14</td> <td>ECDSA P-384/<a href="/wiki/SHA-2" title="SHA-2">SHA-384</a></td> <td style="background: #FFD; color:black; vertical-align: middle; text-align: center;" class="partial table-partial">Optional</td> <td style="background:#FFB; color:black;vertical-align:middle;text-align:center;" class="table-partial">Recommended </td></tr> <tr> <td>15</td> <td><a href="/wiki/Ed25519" class="mw-redirect" title="Ed25519">Ed25519</a></td> <td rowspan="2"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc8080">8080</a></td> <td style="background:#FFB; color:black;vertical-align:middle;text-align:center;" class="table-partial">Recommended</td> <td style="background:#FFB; color:black;vertical-align:middle;text-align:center;" class="table-partial">Recommended </td></tr> <tr> <td>16</td> <td><a href="/wiki/Curve448" title="Curve448">Ed448</a></td> <td style="background: #FFD; color:black; vertical-align: middle; text-align: center;" class="partial table-partial">Optional</td> <td style="background:#FFB; color:black;vertical-align:middle;text-align:center;" class="table-partial">Recommended </td></tr></tbody></table> <table class="wikitable"> <tbody><tr> <th>Digest field </th> <th>Digest </th> <th>Source </th> <th>DNSSEC Delegation </th> <th>DNSSEC Validation </th></tr> <tr> <td>1</td> <td><a href="/wiki/SHA-1" title="SHA-1">SHA-1</a></td> <td><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3658">3658</a></td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Must Not Implement</td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required </td></tr> <tr> <td>2</td> <td><a href="/wiki/SHA-256" class="mw-redirect" title="SHA-256">SHA-256</a></td> <td><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4509">4509</a></td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required</td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Required </td></tr> <tr> <td>3</td> <td><a href="/wiki/GOST" title="GOST">GOST</a> <a href="/wiki/GOST_(hash_function)" title="GOST (hash function)">R 34.10-2001</a></td> <td><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5933">5933</a></td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Must Not Implement</td> <td style="background: #FFD; color:black; vertical-align: middle; text-align: center;" class="partial table-partial">Optional </td></tr> <tr> <td>4</td> <td><a href="/wiki/SHA-384" class="mw-redirect" title="SHA-384">SHA-384</a></td> <td><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6605">6605</a></td> <td style="background: #FFD; color:black; vertical-align: middle; text-align: center;" class="partial table-partial">Optional</td> <td style="background:#FFB; color:black;vertical-align:middle;text-align:center;" class="table-partial">Recommended </td></tr></tbody></table> <div class="mw-heading mw-heading3"><h3 id="The_lookup_procedure">The lookup procedure</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=5" title="Edit section: The lookup procedure"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>From the results of a DNS lookup, a security-aware <a href="/wiki/DNS_resolver" class="mw-redirect" title="DNS resolver">DNS resolver</a> can determine whether the <a href="/wiki/Authoritative_name_server" class="mw-redirect" title="Authoritative name server">authoritative name server</a> for the domain being queried supports DNSSEC, whether the answer it receives is secure, and whether there is some sort of error. The lookup procedure is different for <a href="/wiki/Domain_Name_System#Recursive_and_caching_name_server" title="Domain Name System">recursive name servers</a> such as those of many <a href="/wiki/Internet_service_provider" title="Internet service provider">ISPs</a>, and for <a href="/wiki/Stub_resolver" class="mw-redirect" title="Stub resolver">stub resolvers</a> such as those included by default in mainstream operating systems. <a href="/wiki/Microsoft_Windows" title="Microsoft Windows">Microsoft Windows</a> uses a stub resolver, and Windows Server 2008 R2 and Windows 7 in particular use a non-validating but DNSSEC-aware stub resolver.<sup id="cite_ref-windows-understanding_6-0" class="reference"><a href="#cite_note-windows-understanding-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-windows-dnssec_7-0" class="reference"><a href="#cite_note-windows-dnssec-7"><span class="cite-bracket">[</span>7<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading4"><h4 id="Recursive_name_servers">Recursive name servers</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=6" title="Edit section: Recursive name servers"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Using the <a href="/wiki/Chain_of_trust" title="Chain of trust">chain of trust</a> model, a Delegation Signer (DS) record in a parent domain (<a href="/wiki/DNS_zone" title="DNS zone">DNS zone</a>) can be used to verify a DNSKEY record in a <a href="/wiki/Subdomain" title="Subdomain">subdomain</a>, which can then contain other DS records to verify further subdomains. Say that a recursive resolver such as an ISP name server wants to get the IP addresses (<a href="/wiki/A_record" class="mw-redirect" title="A record">A record</a> and/or <a href="/wiki/AAAA_record" class="mw-redirect" title="AAAA record">AAAA records</a>) of the domain "www.<a href="/wiki/Example.com" title="Example.com">example.com</a>". </p> <ol><li>The process starts when a security-aware resolver sets the "DO" ("DNSSEC OK") flag bit in a DNS query. Since the DO bit is in the extended flag bits defined by <a href="/wiki/Extension_Mechanisms_for_DNS" title="Extension Mechanisms for DNS">Extension Mechanisms for DNS (EDNS)</a>, <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6891">6891</a>, all DNSSEC transactions must support EDNS. EDNS support is also needed to allow for the much larger packet sizes that DNSSEC transactions require.</li> <li>When the resolver receives an answer via the normal DNS lookup process, it then checks to make sure that the answer is correct. Ideally, the security-aware resolver would start with verifying the DS and DNSKEY records at the <a href="/wiki/DNS_root" class="mw-redirect" title="DNS root">DNS root</a>. Then it would use the DS records for the "com" <a href="/wiki/Top-level_domain" title="Top-level domain">top-level domain</a> found at the root to verify the DNSKEY records in the "com" zone. From there, it would see if there is a DS record for the "example.com" subdomain in the "com" zone, and if there were, it would then use the DS record to verify a DNSKEY record found in the "example.com" zone. Finally, it would verify the RRSIG record found in the answer for the A records for "www.example.com".</li></ol> <p>There are several exceptions to the above example. </p><p>First, if "example.com" does not support DNSSEC, there will be no RRSIG record in the answer and there will not be a DS record for "example.com" in the "com" zone. If there is a DS record for "example.com", but no RRSIG record in the reply, something is wrong and maybe a <a href="/wiki/Man_in_the_middle_attack" class="mw-redirect" title="Man in the middle attack">man in the middle attack</a> is going on, stripping the DNSSEC information and modifying the A records. Or, it could be a broken security-oblivious name server along the way that stripped the DO flag bit from the query or the RRSIG record from the answer. Or, it could be a configuration error. </p><p>Next, it may be that there is not a domain name named "www.example.com", in which case instead of returning a RRSIG record in the answer, there will be either an NSEC record or an NSEC3 record. These are "next secure" records that allow the resolver to prove that a domain name does not exist. The NSEC/NSEC3 records have RRSIG records, which can be verified as above. </p><p>Finally, it may be that the "example.com" zone implements DNSSEC, but either the "com" zone or the root zone do not, creating an "island of security" which needs to be validated in some other way. As of 15 July 2010<sup class="plainlinks noexcerpt noprint asof-tag update" style="display:none;"><a class="external text" href="https://en.wikipedia.org/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit">[update]</a></sup>, deployment of DNSSEC to root is completed.<sup id="cite_ref-8" class="reference"><a href="#cite_note-8"><span class="cite-bracket">[</span>8<span class="cite-bracket">]</span></a></sup> The .com domain was signed with valid security keys and the secure delegation was added to the root zone on 1 April 2011.<sup id="cite_ref-9" class="reference"><a href="#cite_note-9"><span class="cite-bracket">[</span>9<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading4"><h4 id="Stub_resolvers">Stub resolvers</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=7" title="Edit section: Stub resolvers"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Stub resolvers are "minimal DNS resolvers that use recursive query mode to offload most of the work of DNS resolution to a recursive name server."<sup id="cite_ref-rfc4033_section7_10-0" class="reference"><a href="#cite_note-rfc4033_section7-10"><span class="cite-bracket">[</span>10<span class="cite-bracket">]</span></a></sup> A stub resolver will simply forward a request to a recursive name server, and use the Authenticated Data (AD) bit in the response as a "hint to find out whether the recursive name server was able to validate signatures for all of the data in the Answer and Authority sections of the response."<sup id="cite_ref-rfc4033_p12_11-0" class="reference"><a href="#cite_note-rfc4033_p12-11"><span class="cite-bracket">[</span>11<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Microsoft_Windows" title="Microsoft Windows">Microsoft Windows</a> uses a stub resolver, and Windows Server 2008 R2 and Windows 7 in particular use a non-validating but AD-bit-aware stub resolver.<sup id="cite_ref-windows-understanding_6-1" class="reference"><a href="#cite_note-windows-understanding-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-windows-dnssec_7-1" class="reference"><a href="#cite_note-windows-dnssec-7"><span class="cite-bracket">[</span>7<span class="cite-bracket">]</span></a></sup> </p><p>A <i>validating stub resolver</i> can also potentially perform its own signature validation by setting the Checking Disabled (CD) bit in its query messages.<sup id="cite_ref-rfc4033_p12_11-1" class="reference"><a href="#cite_note-rfc4033_p12-11"><span class="cite-bracket">[</span>11<span class="cite-bracket">]</span></a></sup> A validating stub resolver uses the CD bit to perform its own recursive authentication. Using such a validating stub resolver gives the client end-to-end DNS security for domains implementing DNSSEC, even if the Internet service provider or the connection to them is not trusted. </p><p>Non-validating stub resolvers must rely on external DNSSEC validation services, such as those controlled by the user's <a href="/wiki/Internet_service_provider" title="Internet service provider">Internet service provider</a> or a <a href="/wiki/Public_recursive_name_server" title="Public recursive name server">public recursive name server</a>, and the communication channels between itself and those name servers, using methods such as <a href="/wiki/DNS_over_TLS" title="DNS over TLS">DNS over TLS</a>.<sup id="cite_ref-rfc4033_p12_11-2" class="reference"><a href="#cite_note-rfc4033_p12-11"><span class="cite-bracket">[</span>11<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-practical-ipsec_12-0" class="reference"><a href="#cite_note-practical-ipsec-12"><span class="cite-bracket">[</span>12<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Trust_anchors_and_authentication_chains">Trust anchors and authentication chains</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=8" title="Edit section: Trust anchors and authentication chains"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>To be able to prove that a DNS answer is correct, one needs to know at least one key or DS record that is correct from sources other than the DNS. These starting points are known as <b>trust anchors</b> and are typically obtained with the <a href="/wiki/Operating_system" title="Operating system">operating system</a> or via some other trusted source. When DNSSEC was originally designed, it was thought that the only trust anchor that would be needed was for the <a href="/wiki/DNS_root" class="mw-redirect" title="DNS root">DNS root</a>. The root anchors were first published on 15 July 2010.<sup id="cite_ref-13" class="reference"><a href="#cite_note-13"><span class="cite-bracket">[</span>13<span class="cite-bracket">]</span></a></sup> </p><p>An <i><a href="/wiki/Authentication" title="Authentication">authentication</a> chain</i> is a series of linked DS and DNSKEY records, starting with a <a href="/wiki/Trust_anchor" title="Trust anchor">trust anchor</a> to the <a href="/wiki/Authoritative_name_server" class="mw-redirect" title="Authoritative name server">authoritative name server</a> for the domain in question. Without a complete authentication chain, an answer to a DNS lookup cannot be securely authenticated. </p> <div class="mw-heading mw-heading3"><h3 id="Signatures_and_zone_signing">Signatures and zone signing</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=9" title="Edit section: Signatures and zone signing"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>To limit replay attacks, there are not only the normal DNS TTL values for caching purposes, but additional timestamps in RRSIG records to limit the validity of a signature. Unlike TTL values which are relative to when the records were sent, the timestamps are absolute. This means that all security-aware DNS resolvers must have clocks that are fairly closely in sync, say to within a few minutes. </p><p>These timestamps imply that a zone must regularly be re-signed and re-distributed to secondary servers, or the signatures will be rejected by validating resolvers. </p> <div class="mw-heading mw-heading3"><h3 id="Key_management">Key management</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=10" title="Edit section: Key management"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>DNSSEC involves many different keys, stored both in DNSKEY records, and from other sources to form <a href="/wiki/Trust_anchor" title="Trust anchor">trust anchors</a>. </p><p>In order to allow for replacement keys, a <b>key rollover</b> scheme is required. Typically, this involves first rolling out new keys in new DNSKEY records, in addition to the existing old keys. Then, when it is safe to assume that the <a href="/wiki/Time_to_live" title="Time to live">time to live</a> values have caused the caching of old keys to have passed, these new keys can be used. Finally, when it is safe to assume that the caching of records using the old keys have expired, the old DNSKEY records can be deleted. This process is more complicated for things such as the keys to trust anchors, such as at the root, which may require an update of the operating system. </p><p>Keys in DNSKEY records can be used for two different things and typically different DNSKEY records are used for each. First, there are <b>key signing keys</b> (KSK) which are used to sign other DNSKEY records containing <b>zone signing keys</b> (ZSK), which are used to sign other records. Since the ZSKs are under complete control and use by one particular <a href="/wiki/DNS_zone" title="DNS zone">DNS zone</a>, they can be switched more easily and more often. As a result, ZSKs can be much shorter than KSKs and still offer the same level of protection while reducing the size of the RRSIG/DNSKEY records. </p><p>When a new KSK is created, the DS record must be transferred to the parent zone and published there. The DS records use a <a href="/wiki/Message_digest" class="mw-redirect" title="Message digest">message digest</a> of the KSK instead of the complete key in order to keep the size of the records small. This is helpful for zones such as the <a href="/wiki/.com" title=".com">.com</a> domain, which are very large. The procedure to update DS keys in the parent zone is also simpler than earlier DNSSEC versions that required DNSKEY records to be in the parent zone. </p><p>A closely related principle is that of <b>Algorithm rollover</b>, this involves migrating a zone from one signing Algorithm to another. A good example of this would be migrating from Algorithm 8 (RSA/SHA-256) to Algorithm 13 (ECDSA/SHA-256). Several ccTLD's have already migrated including <a href="/wiki/.at" title=".at">.at</a>, <a href="/wiki/.br" title=".br">.br</a>, <a href="/wiki/.cz" title=".cz">.cz</a>, <a href="/wiki/.ch" title=".ch">.ch</a>, <a href="/wiki/.fr" title=".fr">.fr</a>, <a href="/wiki/.ie" title=".ie">.ie</a>, <a href="/wiki/.nl" title=".nl">.nl</a><sup id="cite_ref-14" class="reference"><a href="#cite_note-14"><span class="cite-bracket">[</span>14<span class="cite-bracket">]</span></a></sup> and <a href="/wiki/.ph" title=".ph">.ph</a>. <a href="/wiki/Verisign" title="Verisign">Verisign</a> migrated .com, .net and .edu to Algorithm 13 in late 2023.<sup id="cite_ref-15" class="reference"><a href="#cite_note-15"><span class="cite-bracket">[</span>15<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-16" class="reference"><a href="#cite_note-16"><span class="cite-bracket">[</span>16<span class="cite-bracket">]</span></a></sup> The migration of the root domain from Algorithm 8 to Algorithm 13 is currently in planning as of early 2024.<sup id="cite_ref-17" class="reference"><a href="#cite_note-17"><span class="cite-bracket">[</span>17<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="DANE_Working_Group">DANE Working Group</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=11" title="Edit section: DANE Working Group"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><a href="/wiki/DNS-based_Authentication_of_Named_Entities" title="DNS-based Authentication of Named Entities">DNS-based Authentication of Named Entities</a> (DANE) is an IETF working group<sup id="cite_ref-18" class="reference"><a href="#cite_note-18"><span class="cite-bracket">[</span>18<span class="cite-bracket">]</span></a></sup> with the goal of developing protocols and techniques that allow Internet applications to establish cryptographically secured communications with <a href="/wiki/Transport_Layer_Security" title="Transport Layer Security">TLS</a>, <a href="/wiki/DTLS" class="mw-redirect" title="DTLS">DTLS</a>, <a href="/wiki/Simple_Mail_Transfer_Protocol" title="Simple Mail Transfer Protocol">SMTP</a>, and <a href="/wiki/S/MIME" title="S/MIME">S/MIME</a> based on DNSSEC. </p><p>The new protocols will enable additional assurances and constraints for the traditional model based on <a href="/wiki/Public_key_infrastructure" title="Public key infrastructure">public key infrastructure</a>. They will also enable domain holders to assert certificates for themselves, without reference to third-party <a href="/wiki/Certificate_authority" title="Certificate authority">certificate authorities</a>. </p><p>Support for DNSSEC stapled certificates was enabled in <a href="/wiki/Google_Chrome" title="Google Chrome">Google Chrome</a> 14,<sup id="cite_ref-19" class="reference"><a href="#cite_note-19"><span class="cite-bracket">[</span>19<span class="cite-bracket">]</span></a></sup> but was later removed.<sup id="cite_ref-20" class="reference"><a href="#cite_note-20"><span class="cite-bracket">[</span>20<span class="cite-bracket">]</span></a></sup> For <a href="/wiki/Mozilla_Firefox" class="mw-redirect" title="Mozilla Firefox">Mozilla Firefox</a>, support was provided by an add-on<sup id="cite_ref-21" class="reference"><a href="#cite_note-21"><span class="cite-bracket">[</span>21<span class="cite-bracket">]</span></a></sup> while native support is currently awaiting someone to start working on it.<sup id="cite_ref-22" class="reference"><a href="#cite_note-22"><span class="cite-bracket">[</span>22<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="History">History</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=12" title="Edit section: History"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>DNS is a critical and fundamental Internet service, yet in 1990 <a href="/wiki/Steve_Bellovin" class="mw-redirect" title="Steve Bellovin">Steve Bellovin</a> discovered serious security flaws in it. Research into securing it began, and progressed dramatically when his paper was made public in 1995.<sup id="cite_ref-23" class="reference"><a href="#cite_note-23"><span class="cite-bracket">[</span>23<span class="cite-bracket">]</span></a></sup> The initial RFC 2065 was published by the IETF in 1997, and initial attempts to implement that specification led to a revised (and believed fully workable) specification in 1999 as IETF RFC 2535. Plans were made to deploy DNSSEC based on RFC 2535. </p><p>Unfortunately, the IETF RFC 2535 specification had very significant problems scaling up to the full Internet; by 2001 it became clear that this specification was unusable for large networks. In normal operation DNS servers often get out of sync with their parents. This isn't usually a problem, but when DNSSEC is enabled, this out-of-sync data could have the effect of a serious self-created denial of service. The original DNSSEC required a complex six-message protocol and a lot of data transfers to perform key changes for a child (DNS child zones had to send all of their data up to the parent, have the parent sign each record, and then send those signatures back to the child for the child to store in a SIG record). Also, public key changes could have absurd effects; for example, if the ".com" zone changed its public key, it would have to send 22 million records (because it would need to update all of the signatures in all of its children). Thus, DNSSEC as defined in RFC 2535 could not scale up to the Internet. </p><p>The IETF fundamentally modified DNSSEC, which is called <i>DNSSEC-bis</i> when necessary to distinguish it from the original DNSSEC approach of RFC 2535. This new version uses "delegation signer (DS) resource records" to provide an additional level of indirection at delegation points between a parent and child zone. In the new approach, when a child's master public key changes, instead of having six messages for every record in the child, there is one simple message: the child sends the new public key to its parent (signed, of course). Parents simply store one master public key for each child; this is much more practical. This means that a little data is pushed to the parent, instead of massive amounts of data being exchanged between the parent and children. This does mean that clients have to do a little more work when verifying keys. More specifically, verifying a DNS zone's KEY RRset requires two signature verification operations instead of the one required by RFC 2535 (there is no impact on the number of signatures verified for other types of RRsets). Most view this as a small price to pay, since it makes DNSSEC deployment more practical. The new version is published in RFC4033-4035. </p><p>In January 2024, a "KeyTrap" denial-of-service attack was announced for all specification-respecting DNSSEC resolvers. The DNSSEC specification (RFC4033-4035) specifies that a resolver, when receiving a signed packet from the upstream, should try <i>all</i> keys with the correct "tag" on <i>all</i> signatures until one of the combinations successfully verifies. By putting many keys with the same "tag" and many signatures corresponding to that "tag" in a packet, the researchers can slow down a resolver by a factor of 2 million. In response, resolvers began to place limits on the amount of verification errors, key tag collisions, and hash calculations.<sup id="cite_ref-24" class="reference"><a href="#cite_note-24"><span class="cite-bracket">[</span>24<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Authenticating_NXDOMAIN_responses_and_NSEC">Authenticating NXDOMAIN responses and NSEC</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=13" title="Edit section: Authenticating NXDOMAIN responses and NSEC"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Cryptographically proving the absence of a domain requires signing the response to every query for a non-existent domain. This is not a problem for online signing servers, which keep their keys available online. However, DNSSEC was designed around using offline computers to sign records so that zone-signing-keys could be kept in cold storage. This represents a problem when trying to authenticate responses to queries for non-existent domains since it is impossible to pre-generate a response to every possible hostname query. </p><p>The initial solution was to create NSEC records for every pair of domains in a zone. Thus if a client queried for a record at the non-existent <code>k.example.com</code>, the server would respond with an NSEC record stating that nothing exists between <code>a.example.com</code> and <code>z.example.com</code>. However, this leaks more information about the zone than traditional unauthenticated NXDOMAIN errors because it exposes the existence of real domains. </p> <div class="mw-heading mw-heading3"><h3 id="Preventing_domain_walking">Preventing domain walking</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=14" title="Edit section: Preventing domain walking"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The NSEC3 records (RFC 5155) were created as an alternative which hashes the name instead of listing them directly. Over time, advancements in hashing using GPUs and dedicated hardware meant that NSEC3 responses could be cheaply brute forced using offline dictionary attacks. <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/draft-vcelak-nsec5/">NSEC5</a> has been proposed to allow authoritative servers to sign NSEC responses without having to keep a private key that can be used to modify the zone. Thus stealing an NSEC5KEY would only result in the ability to more easily enumerate a zone.<sup id="cite_ref-25" class="reference"><a href="#cite_note-25"><span class="cite-bracket">[</span>25<span class="cite-bracket">]</span></a></sup> </p><p>Due to the messy evolution of the protocol and a desire to preserve backwards compatibility, online DNSSEC signing servers return a "white lie" instead of authenticating a denial of existence directly. The technique outlined in RFC 4470 returns a NSEC record in which the pairs of domains lexically surrounding the requested domain. For example, request for <code>k.example.com</code> would thus result in an NSEC record proving that nothing exists between the (fictitious) domains <code>j.example.com</code> and <code>l.example.com</code>. This is also possible with NSEC3 records.<sup id="cite_ref-26" class="reference"><a href="#cite_note-26"><span class="cite-bracket">[</span>26<span class="cite-bracket">]</span></a></sup> </p><p>CloudFlare pioneered a pair of alternative approaches, which manage to achieve the same result in one third of the response size.<sup id="cite_ref-cloudflare_black_lies_27-0" class="reference"><a href="#cite_note-cloudflare_black_lies-27"><span class="cite-bracket">[</span>27<span class="cite-bracket">]</span></a></sup> The first is a variation on the "white lies" approach, called "black lies", which exploits common DNS client behavior to state the nonexistence more compactly.<sup id="cite_ref-28" class="reference"><a href="#cite_note-28"><span class="cite-bracket">[</span>28<span class="cite-bracket">]</span></a></sup> The second approach instead chooses to prove that "the record exists but the requested record type does not", which they call "DNS shotgun".<sup id="cite_ref-29" class="reference"><a href="#cite_note-29"><span class="cite-bracket">[</span>29<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-cloudflare_black_lies_27-1" class="reference"><a href="#cite_note-cloudflare_black_lies-27"><span class="cite-bracket">[</span>27<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Deployment">Deployment</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=15" title="Edit section: Deployment"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The Internet is critical infrastructure, yet its operation depends on the fundamentally insecure DNS. Thus, there is strong incentive to secure DNS, and deploying DNSSEC is generally considered to be a critical part of that effort. For example, the U.S. <i>National Strategy to Secure Cyberspace</i> specifically identified the need to secure DNS.<sup id="cite_ref-30" class="reference"><a href="#cite_note-30"><span class="cite-bracket">[</span>30<span class="cite-bracket">]</span></a></sup> Wide-scale deployment of DNSSEC could resolve many other security problems as well, such as secure key distribution for e-mail addresses. </p><p>DNSSEC deployment in large-scale networks is also challenging. Ozment and Schechter observe that DNSSEC (and other technologies) has a "bootstrap problem": users typically only deploy a technology if they receive an immediate benefit, but if a minimal level of deployment is required before <i>any</i> users receive a benefit greater than their costs (as is true for DNSSEC), it is difficult to deploy. DNSSEC can be deployed at any level of a DNS hierarchy, but it must be widely available in a zone before many others will want to adopt it. DNS servers must be updated with software that supports DNSSEC, and DNSSEC data must be created and added to the DNS zone data. A TCP/IP-using client must have their DNS resolver (client) updated before it can use DNSSEC's capabilities. What is more, any resolver must have, or have a way to acquire, at least one public key that it can trust before it can start using DNSSEC. </p><p>DNSSEC implementation can add significant load to some DNS servers. Common DNSSEC-signed responses are far larger than the default UDP size of 512 bytes. In theory, this can be handled through multiple IP fragments, but many "middleboxes" in the field do not handle these correctly. This leads to the use of TCP instead. Yet many current TCP implementations store a great deal of data for each TCP connection; heavily loaded servers can run out of resources simply trying to respond to a larger number of (possibly bogus) DNSSEC requests. Some protocol extensions, such as <a href="/wiki/TCP_Cookie_Transactions" title="TCP Cookie Transactions">TCP Cookie Transactions</a>, have been developed to reduce this loading.<sup id="cite_ref-31" class="reference"><a href="#cite_note-31"><span class="cite-bracket">[</span>31<span class="cite-bracket">]</span></a></sup> To address these challenges, significant effort is ongoing to deploy DNSSEC, because the Internet is so vital to so many organizations. </p> <div class="mw-heading mw-heading3"><h3 id="Early_deployments">Early deployments</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=16" title="Edit section: Early deployments"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Early adopters include <a href="/wiki/Brazil" title="Brazil">Brazil</a> (<a href="/wiki/.br" title=".br">.br</a>), <a href="/wiki/Bulgaria" title="Bulgaria">Bulgaria</a> (<a href="/wiki/.bg" title=".bg">.bg</a>), <a href="/wiki/Czech_Republic" title="Czech Republic">Czech Republic</a> (<a href="/wiki/.cz" title=".cz">.cz</a>), <a href="/wiki/Namibia" title="Namibia">Namibia</a> (<a href="/wiki/.na" title=".na">.na</a>)<sup id="cite_ref-32" class="reference"><a href="#cite_note-32"><span class="cite-bracket">[</span>32<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Puerto_Rico" title="Puerto Rico">Puerto Rico</a> (<a href="/wiki/.pr" title=".pr">.pr</a>) and <a href="/wiki/Sweden" title="Sweden">Sweden</a> (<a href="/wiki/.se" title=".se">.se</a>), who use DNSSEC for their <a href="/wiki/Country_code_top-level_domain" title="Country code top-level domain">country code top-level domains</a>;<sup id="cite_ref-EPIC-20080527_33-0" class="reference"><a href="#cite_note-EPIC-20080527-33"><span class="cite-bracket">[</span>33<span class="cite-bracket">]</span></a></sup> <a href="/wiki/RIPE_NCC" title="RIPE NCC">RIPE NCC</a>, who have signed all the reverse lookup records (in-addr.arpa) that are delegated to it from the <a href="/wiki/Internet_Assigned_Numbers_Authority" title="Internet Assigned Numbers Authority">Internet Assigned Numbers Authority</a> (IANA).<sup id="cite_ref-34" class="reference"><a href="#cite_note-34"><span class="cite-bracket">[</span>34<span class="cite-bracket">]</span></a></sup> <a href="/wiki/ARIN" class="mw-redirect" title="ARIN">ARIN</a> is also signing their reverse zones.<sup id="cite_ref-35" class="reference"><a href="#cite_note-35"><span class="cite-bracket">[</span>35<span class="cite-bracket">]</span></a></sup> In February 2007, <a href="/wiki/TDC_A/S" class="mw-redirect" title="TDC A/S">TDC</a> became the first Swedish ISP to start offering this feature to its customers.<sup id="cite_ref-36" class="reference"><a href="#cite_note-36"><span class="cite-bracket">[</span>36<span class="cite-bracket">]</span></a></sup> </p><p>IANA publicly tested a sample signed root since June 2007. During this period prior to the production signing of the root, there were also several alternative trust anchors. The IKS Jena introduced one on January 19, 2006,<sup id="cite_ref-37" class="reference"><a href="#cite_note-37"><span class="cite-bracket">[</span>37<span class="cite-bracket">]</span></a></sup> the <a href="/wiki/Internet_Systems_Consortium" title="Internet Systems Consortium">Internet Systems Consortium</a> introduced another on March 27 of the same year,<sup id="cite_ref-38" class="reference"><a href="#cite_note-38"><span class="cite-bracket">[</span>38<span class="cite-bracket">]</span></a></sup> while <a href="/wiki/ICANN" title="ICANN">ICANN</a> themselves announced a third on February 17, 2009.<sup id="cite_ref-39" class="reference"><a href="#cite_note-39"><span class="cite-bracket">[</span>39<span class="cite-bracket">]</span></a></sup> </p><p>On June 2, 2009, <a href="/wiki/Afilias" title="Afilias">Afilias</a>, the registry service provider for <a href="/wiki/Public_Interest_Registry" title="Public Interest Registry">Public Interest Registry</a>'s .org zone signed the .org TLD.<sup id="cite_ref-40" class="reference"><a href="#cite_note-40"><span class="cite-bracket">[</span>40<span class="cite-bracket">]</span></a></sup> Afilias and PIR also detailed on September 26, 2008, that the first phase, involving large registrars it has a strong working relationship with ("friends and family") would be the first to be able to sign their domains, beginning "early 2009".<sup id="cite_ref-41" class="reference"><a href="#cite_note-41"><span class="cite-bracket">[</span>41<span class="cite-bracket">]</span></a></sup> On June 23, 2010, 13 registrars were listed as offering DNSSEC records for .ORG domains.<sup id="cite_ref-42" class="reference"><a href="#cite_note-42"><span class="cite-bracket">[</span>42<span class="cite-bracket">]</span></a></sup> </p><p>VeriSign ran a pilot project to allow .com and .net domains to register themselves for the purpose of NSEC3 experimentation. On February 24, 2009, they announced that they would deploy DNSSEC across all their top-level domains (.com, .net, etc.) within 24 months,<sup id="cite_ref-43" class="reference"><a href="#cite_note-43"><span class="cite-bracket">[</span>43<span class="cite-bracket">]</span></a></sup> and on November 16 of the same year, they said the .com and .net domains would be signed by the first quarter of 2011, after delays caused by technical aspects of the implementation.<sup id="cite_ref-44" class="reference"><a href="#cite_note-44"><span class="cite-bracket">[</span>44<span class="cite-bracket">]</span></a></sup> This goal was achieved on-schedule<sup id="cite_ref-45" class="reference"><a href="#cite_note-45"><span class="cite-bracket">[</span>45<span class="cite-bracket">]</span></a></sup> and Verisign's DNSSEC VP, Matt Larson, won InfoWorld's Technology Leadership Award for 2011 for his role in advancing DNSSEC.<sup id="cite_ref-46" class="reference"><a href="#cite_note-46"><span class="cite-bracket">[</span>46<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-47" class="reference"><a href="#cite_note-47"><span class="cite-bracket">[</span>47<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Deployment_at_the_DNS_root">Deployment at the DNS root</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=17" title="Edit section: Deployment at the DNS root"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>DNSSEC was first deployed at the root level on July 15, 2010.<sup id="cite_ref-dnssec-status-live_48-0" class="reference"><a href="#cite_note-dnssec-status-live-48"><span class="cite-bracket">[</span>48<span class="cite-bracket">]</span></a></sup> This is expected to greatly simplify the deployment of DNSSEC resolvers, since the root trust anchor can be used to validate any DNSSEC zone that has a complete chain of trust from the root. Since the chain of trust must be traced back to a trusted root without interruption in order to validate, trust anchors must still be configured for secure zones if any of the zones above them are not secure. For example, if the zone "signed.example.org" was secured but the "example.org" zone was not, then, even though the ".org" zone and the root are signed, a trust anchor has to be deployed in order to validate the zone. </p><p>Political issues surrounding signing the root have been a continuous concern, primarily about some central issues: </p> <ul><li>Other countries are concerned about U.S. control over the Internet, and may reject any centralized keying for this reason.</li> <li>Some governments might try to ban DNSSEC-backed encryption key distribution.</li></ul> <div class="mw-heading mw-heading4"><h4 id="Planning">Planning</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=18" title="Edit section: Planning"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>In September 2008, ICANN and VeriSign each published implementation proposals<sup id="cite_ref-49" class="reference"><a href="#cite_note-49"><span class="cite-bracket">[</span>49<span class="cite-bracket">]</span></a></sup> and in October, the <a href="/wiki/National_Telecommunications_and_Information_Administration" title="National Telecommunications and Information Administration">National Telecommunications and Information Administration</a> (NTIA) asked the public for comments.<sup id="cite_ref-50" class="reference"><a href="#cite_note-50"><span class="cite-bracket">[</span>50<span class="cite-bracket">]</span></a></sup> It is unclear if the comments received affected the design of the final deployment plan. </p><p>On June 3, 2009, the <a href="/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">National Institute of Standards and Technology</a> (NIST) announced plans to sign the root by the end of 2009, in conjunction with ICANN, <a href="/wiki/VeriSign" class="mw-redirect" title="VeriSign">VeriSign</a> and the NTIA.<sup id="cite_ref-NISTpr609_51-0" class="reference"><a href="#cite_note-NISTpr609-51"><span class="cite-bracket">[</span>51<span class="cite-bracket">]</span></a></sup> </p><p>On October 6, 2009, at the 59th <a href="/wiki/RIPE" title="RIPE">RIPE</a> Conference meeting, ICANN and VeriSign announced the planned deployment timeline for deploying DNSSEC within the root zone.<sup id="cite_ref-conf_52-0" class="reference"><a href="#cite_note-conf-52"><span class="cite-bracket">[</span>52<span class="cite-bracket">]</span></a></sup> At the meeting it was announced that it would be incrementally deployed to one root name server a month, starting on December 1, 2009, with the final root name server serving a DNSSEC signed zone on July 1, 2010, and the root zone will be signed with a RSA/SHA256 DNSKEY.<sup id="cite_ref-conf_52-1" class="reference"><a href="#cite_note-conf-52"><span class="cite-bracket">[</span>52<span class="cite-bracket">]</span></a></sup> During the incremental roll-out period the root zone will serve a <i>Deliberately Unvalidatable Root Zone</i> (DURZ) that uses dummy keys, with the final DNSKEY record not being distributed until July 1, 2010.<sup id="cite_ref-last-puzzle-pieces_53-0" class="reference"><a href="#cite_note-last-puzzle-pieces-53"><span class="cite-bracket">[</span>53<span class="cite-bracket">]</span></a></sup> This means the keys that were used to sign the zone use are deliberately unverifiable; the reason for this deployment was to monitor changes in traffic patterns caused by the larger responses to queries requesting DNSSEC resource records. </p><p>The <a href="/wiki/.org" title=".org">.org</a> top-level domain was signed with DNSSEC in June 2010, followed by <a href="/wiki/.com" title=".com">.com</a>, <a href="/wiki/.net" title=".net">.net</a>, and <a href="/wiki/.edu" title=".edu">.edu</a> later in 2010 and 2011.<sup id="cite_ref-54" class="reference"><a href="#cite_note-54"><span class="cite-bracket">[</span>54<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-55" class="reference"><a href="#cite_note-55"><span class="cite-bracket">[</span>55<span class="cite-bracket">]</span></a></sup> <a href="/wiki/Country_code_top-level_domain" title="Country code top-level domain">Country code top-level domains</a> were able to deposit keys starting in May 2010.<sup id="cite_ref-heise_56-0" class="reference"><a href="#cite_note-heise-56"><span class="cite-bracket">[</span>56<span class="cite-bracket">]</span></a></sup> As of November 2011<sup class="plainlinks noexcerpt noprint asof-tag update" style="display:none;"><a class="external text" href="https://en.wikipedia.org/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit">[update]</a></sup> more than 25% of top-level domains are signed with DNSSEC.<sup id="cite_ref-57" class="reference"><a href="#cite_note-57"><span class="cite-bracket">[</span>57<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading4"><h4 id="Implementation">Implementation</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=19" title="Edit section: Implementation"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>On January 25, 2010, the L (ell) root server began serving a <i>Deliberately Unvalidatable Root Zone</i> (DURZ). The zone uses signatures of a <a href="/wiki/SHA-2" title="SHA-2">SHA-2</a> (SHA-256) hash created using the <a href="/wiki/RSA_(algorithm)" class="mw-redirect" title="RSA (algorithm)">RSA</a> algorithm, as defined in <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5702">5702</a>. As of May 2010, all thirteen root servers began serving the DURZ.<sup id="cite_ref-last-puzzle-pieces_53-1" class="reference"><a href="#cite_note-last-puzzle-pieces-53"><span class="cite-bracket">[</span>53<span class="cite-bracket">]</span></a></sup> On July 15, 2010, the first root full production DNSSEC root zone was signed, with the SOA serial 2010071501. Root trust anchors are <a rel="nofollow" class="external text" href="https://data.iana.org/root-anchors/">available from IANA</a>.<sup id="cite_ref-dnssec-status-live_48-1" class="reference"><a href="#cite_note-dnssec-status-live-48"><span class="cite-bracket">[</span>48<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Deployment_at_the_TLD_level">Deployment at the TLD level</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=20" title="Edit section: Deployment at the TLD level"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Underneath the root there is a large set of top-level domains that must be signed in order to achieve full DNSSEC deployment. The <a href="/wiki/List_of_Internet_top-level_domains" title="List of Internet top-level domains">List of Internet top-level domains</a> provides details about which of the existing top-level domains have been signed and linked to the root. </p> <div class="mw-heading mw-heading3"><h3 id="DNSSEC_Lookaside_Validation_-_historical">DNSSEC Lookaside Validation - historical</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=21" title="Edit section: DNSSEC Lookaside Validation - historical"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>In March 2006, the <a href="/wiki/Internet_Systems_Consortium" title="Internet Systems Consortium">Internet Systems Consortium</a> introduced the DNSSEC Lookaside Validation registry.<sup id="cite_ref-58" class="reference"><a href="#cite_note-58"><span class="cite-bracket">[</span>58<span class="cite-bracket">]</span></a></sup> DLV was intended to make DNSSEC easier to deploy in the absence of a root trust anchor. At the time it was imagined that a validator might have to maintain large numbers of trust anchors corresponding to signed subtrees of the DNS.<sup id="cite_ref-59" class="reference"><a href="#cite_note-59"><span class="cite-bracket">[</span>59<span class="cite-bracket">]</span></a></sup> The purpose of DLV was to allow validators to offload the effort of managing a trust anchor repository to a trusted third party. The DLV registry maintained a central list of trust anchors, instead of each validator repeating the work of maintaining its own list. </p><p>To use DLV, a validator that supports it was needed, such as <a href="/wiki/BIND" title="BIND">BIND</a> or <a href="/wiki/Unbound_(DNS_Server)" class="mw-redirect" title="Unbound (DNS Server)">Unbound</a>, configured with a trust anchor for a DLV zone. This zone contained DLV records;<sup id="cite_ref-60" class="reference"><a href="#cite_note-60"><span class="cite-bracket">[</span>60<span class="cite-bracket">]</span></a></sup> these had exactly the same format as DS records, but instead of referring to a delegated sub-zone, they referred to a zone elsewhere in the DNS tree. When the validator could not find a chain of trust from the root to the RRset it is trying to check, it searched for a DLV record that could provide an alternative chain of trust.<sup id="cite_ref-61" class="reference"><a href="#cite_note-61"><span class="cite-bracket">[</span>61<span class="cite-bracket">]</span></a></sup> </p><p>Gaps in the chain of trust, such as unsigned top-level domains or registrars that did not support DNSSEC delegations, meant administrators of lower-level domains could use DLV to allow their DNS data to be validated by resolvers which had been configured to use DLV. This may have hindered DNSSEC deployment by taking pressure off registrars and TLD registries to properly support DNSSEC. DLV also added complexity by adding more actors and code paths for DNSSEC validation. </p><p>ISC decommissioned its DLV registry in 2017.<sup id="cite_ref-62" class="reference"><a href="#cite_note-62"><span class="cite-bracket">[</span>62<span class="cite-bracket">]</span></a></sup> DLV support was deprecated in BIND 9.12 and completely removed from BIND 9.16.<sup id="cite_ref-63" class="reference"><a href="#cite_note-63"><span class="cite-bracket">[</span>63<span class="cite-bracket">]</span></a></sup> Unbound version 1.5.4 (July 2015) marked DLV as decommissioned in the example configuration and manual page.<sup id="cite_ref-64" class="reference"><a href="#cite_note-64"><span class="cite-bracket">[</span>64<span class="cite-bracket">]</span></a></sup> Knot Resolver and PowerDNS Recursor never implemented DLV. </p><p>In March 2020, the <a href="/wiki/IETF" class="mw-redirect" title="IETF">IETF</a> published <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc8749">8749</a>, retiring DLV as a standard and moving RFC 4432 and RFC 5074 to "Historic" status.<sup id="cite_ref-65" class="reference"><a href="#cite_note-65"><span class="cite-bracket">[</span>65<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="DNSSEC_deployment_initiative_by_the_U.S._federal_government">DNSSEC deployment initiative by the U.S. federal government</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=22" title="Edit section: DNSSEC deployment initiative by the U.S. federal government"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The Science and Technology Directorate of the <a href="/wiki/United_States_Department_of_Homeland_Security" title="United States Department of Homeland Security">U.S. Department of Homeland Security</a> (DHS) sponsors the "DNSSEC Deployment Initiative". This initiative encourages "all sectors to voluntarily adopt security measures that will improve security of the Internet's naming infrastructure, as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors." DHS also funds efforts to mature DNSSEC and get it deployed inside the U.S. federal government. </p><p>It was reported<sup id="cite_ref-66" class="reference"><a href="#cite_note-66"><span class="cite-bracket">[</span>66<span class="cite-bracket">]</span></a></sup> that on March 30, 2007, the <a href="/wiki/United_States_Department_of_Homeland_Security" title="United States Department of Homeland Security">U.S. Department of Homeland Security</a> proposed "to have the key to sign the DNS root zone solidly in the hands of the US government." However no U.S. Government officials were present in the meeting room and the comment that sparked the article was made by another party. DHS later commented<sup id="cite_ref-67" class="reference"><a href="#cite_note-67"><span class="cite-bracket">[</span>67<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-68" class="reference"><a href="#cite_note-68"><span class="cite-bracket">[</span>68<span class="cite-bracket">]</span></a></sup> on why they believe others jumped to the false conclusion that the U.S. Government had made such a proposal: "The U.S. Department of Homeland Security is funding the development of a technical plan for implementing DNSSec, and last October distributed an initial draft of it to a long list of international experts for comments. The draft lays out a series of options for who could be the holder, or "operator," of the Root Zone Key, essentially boiling down to a governmental agency or a contractor. "Nowhere in the document do we make any proposal about the identity of the Root Key Operator," said Maughan, the cyber-security research and development manager for Homeland Security." </p> <div class="mw-heading mw-heading3"><h3 id="DNSSEC_deployment_in_the_U.S._federal_government">DNSSEC deployment in the U.S. federal government</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=23" title="Edit section: DNSSEC deployment in the U.S. federal government"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1251242444">.mw-parser-output .ambox{border:1px solid #a2a9b1;border-left:10px solid #36c;background-color:#fbfbfb;box-sizing:border-box}.mw-parser-output .ambox+link+.ambox,.mw-parser-output .ambox+link+style+.ambox,.mw-parser-output .ambox+link+link+.ambox,.mw-parser-output .ambox+.mw-empty-elt+link+.ambox,.mw-parser-output .ambox+.mw-empty-elt+link+style+.ambox,.mw-parser-output .ambox+.mw-empty-elt+link+link+.ambox{margin-top:-1px}html body.mediawiki .mw-parser-output .ambox.mbox-small-left{margin:4px 1em 4px 0;overflow:hidden;width:238px;border-collapse:collapse;font-size:88%;line-height:1.25em}.mw-parser-output .ambox-speedy{border-left:10px solid #b32424;background-color:#fee7e6}.mw-parser-output .ambox-delete{border-left:10px solid #b32424}.mw-parser-output .ambox-content{border-left:10px solid #f28500}.mw-parser-output .ambox-style{border-left:10px solid #fc3}.mw-parser-output .ambox-move{border-left:10px solid #9932cc}.mw-parser-output .ambox-protection{border-left:10px solid #a2a9b1}.mw-parser-output .ambox .mbox-text{border:none;padding:0.25em 0.5em;width:100%}.mw-parser-output .ambox .mbox-image{border:none;padding:2px 0 2px 0.5em;text-align:center}.mw-parser-output .ambox .mbox-imageright{border:none;padding:2px 0.5em 2px 0;text-align:center}.mw-parser-output .ambox .mbox-empty-cell{border:none;padding:0;width:1px}.mw-parser-output .ambox .mbox-image-div{width:52px}@media(min-width:720px){.mw-parser-output .ambox{margin:0 10%}}@media print{body.ns-0 .mw-parser-output .ambox{display:none!important}}</style><table class="box-Update plainlinks metadata ambox ambox-content ambox-Update" role="presentation"><tbody><tr><td class="mbox-image"><div class="mbox-image-div"><span typeof="mw:File"><span><img alt="" src="//upload.wikimedia.org/wikipedia/commons/thumb/5/53/Ambox_current_red_Americas.svg/42px-Ambox_current_red_Americas.svg.png" decoding="async" width="42" height="34" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/5/53/Ambox_current_red_Americas.svg/63px-Ambox_current_red_Americas.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/5/53/Ambox_current_red_Americas.svg/84px-Ambox_current_red_Americas.svg.png 2x" data-file-width="360" data-file-height="290" /></span></span></div></td><td class="mbox-text"><div class="mbox-text-span">This section needs to be <b>updated</b>.<span class="hide-when-compact"> Please help update this article to reflect recent events or newly available information.</span> <span class="date-container"><i>(<span class="date">November 2015</span>)</i></span></div></td></tr></tbody></table> <p>The <a href="/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">National Institute of Standards and Technology</a> (NIST) published NIST Special Publication 800-81 Secure Domain Name System (DNS) Deployment Guide on May 16, 2006, with guidance on how to deploy DNSSEC. NIST intended to release new DNSSEC Federal Information Security Management Act (FISMA) requirements in NIST SP800-53-R1, referencing this deployment guide. U.S. agencies would then have had one year after final publication of NIST SP800-53-R1 to meet these new FISMA requirements.<sup id="cite_ref-69" class="reference"><a href="#cite_note-69"><span class="cite-bracket">[</span>69<span class="cite-bracket">]</span></a></sup> However, at the time NSEC3 had not been completed. NIST had suggested using split domains, a technique that is known to be possible but is difficult to deploy correctly, and has the security weaknesses noted above. </p><p>On 22 August 2008, the Office of Management and Budget (OMB) released a memorandum requiring U.S. Federal Agencies to deploy DNSSEC across .gov sites; the .gov root must be signed by January 2009, and all subdomains under .gov must be signed by December 2009.<sup id="cite_ref-70" class="reference"><a href="#cite_note-70"><span class="cite-bracket">[</span>70<span class="cite-bracket">]</span></a></sup> While the memo focuses on .gov sites, the U.S. Defense Information Systems Agency says it intends to meet OMB DNSSEC requirements in the .mil (U.S. military) domain as well. NetworkWorld's Carolyn Duffy Marsan stated that DNSSEC "hasn't been widely deployed because it suffers from a classic chicken-and-egg dilemma... with the OMB mandate, it appears the egg is cracking."<sup id="cite_ref-71" class="reference"><a href="#cite_note-71"><span class="cite-bracket">[</span>71<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Deployment_in_resolvers">Deployment in resolvers</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=24" title="Edit section: Deployment in resolvers"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Several ISPs have started to deploy DNSSEC-validating DNS recursive resolvers. Comcast became the first major ISP to do so in the United States, announcing their intentions on October 18, 2010<sup id="cite_ref-72" class="reference"><a href="#cite_note-72"><span class="cite-bracket">[</span>72<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-73" class="reference"><a href="#cite_note-73"><span class="cite-bracket">[</span>73<span class="cite-bracket">]</span></a></sup> and completing deployment on January 11, 2012.<sup id="cite_ref-74" class="reference"><a href="#cite_note-74"><span class="cite-bracket">[</span>74<span class="cite-bracket">]</span></a></sup> </p><p>According to a study at <a href="/wiki/APNIC" title="APNIC">APNIC</a>, the proportion of clients who exclusively use DNS resolvers that perform DNSSEC validation rose to 8.3% in May 2013.<sup id="cite_ref-CircleID_75-0" class="reference"><a href="#cite_note-CircleID-75"><span class="cite-bracket">[</span>75<span class="cite-bracket">]</span></a></sup> About half of these clients were using <a href="/wiki/Google_Public_DNS" title="Google Public DNS">Google's public DNS resolver</a>. </p><p>In September 2015, Verisign announced their free public DNS resolver service,<sup id="cite_ref-Verisign_76-0" class="reference"><a href="#cite_note-Verisign-76"><span class="cite-bracket">[</span>76<span class="cite-bracket">]</span></a></sup> and although unmentioned in their press releases, it also performs DNSSEC validation. </p><p>By the beginning of 2016, APNIC's monitoring showed the proportion of clients who exclusively use DNS resolvers that perform DNSSEC validation had increased to about 15%.<sup id="cite_ref-XA_77-0" class="reference"><a href="#cite_note-XA-77"><span class="cite-bracket">[</span>77<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading4"><h4 id="DNSSEC_support">DNSSEC support</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=25" title="Edit section: DNSSEC support"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1236090951">.mw-parser-output .hatnote{font-style:italic}.mw-parser-output div.hatnote{padding-left:1.6em;margin-bottom:0.5em}.mw-parser-output .hatnote i{font-style:normal}.mw-parser-output .hatnote+link+.hatnote{margin-top:-0.5em}@media print{body.ns-0 .mw-parser-output .hatnote{display:none!important}}</style><div role="note" class="hatnote navigation-not-searchable">See also: <a href="/wiki/Public_recursive_name_server#Notable_public_DNS_service_operators" title="Public recursive name server">Public_recursive_name_server § Notable_public_DNS_service_operators</a></div> <p>Google's <a href="/wiki/Google_Public_DNS" title="Google Public DNS">public recursive DNS</a> server enabled DNSSEC validation on May 6, 2013.<sup id="cite_ref-78" class="reference"><a href="#cite_note-78"><span class="cite-bracket">[</span>78<span class="cite-bracket">]</span></a></sup> </p><p><a href="/wiki/BIND" title="BIND">BIND</a>, the most popular DNS management software, enables DNSSEC support by default since version 9.5. </p><p>The <a href="/wiki/Quad9" title="Quad9">Quad9 public recursive DNS</a> has performed DNSSEC validation on its main 9.9.9.9 address since it was established on May 11, 2016. Quad9 also provides an alternate service which does not perform DNSSEC validation, principally for debugging.<sup id="cite_ref-79" class="reference"><a href="#cite_note-79"><span class="cite-bracket">[</span>79<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Deployment_in_infrastructure">Deployment in infrastructure</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=26" title="Edit section: Deployment in infrastructure"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>In September 2023, Microsoft announced it would utilize DNSSEC (via <a href="/wiki/DNS-based_Authentication_of_Named_Entities" title="DNS-based Authentication of Named Entities">DANE</a>) to verify the authenticity of certificates during SMTP communications.<sup id="cite_ref-80" class="reference"><a href="#cite_note-80"><span class="cite-bracket">[</span>80<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Reception">Reception</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=27" title="Edit section: Reception"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><a href="/wiki/Geoff_Huston_(scientist)" title="Geoff Huston (scientist)">Geoff Hutson</a> has argued that DNSSEC deployment should be given up.<sup id="cite_ref-81" class="reference"><a href="#cite_note-81"><span class="cite-bracket">[</span>81<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="IETF_publications">IETF publications</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=28" title="Edit section: IETF publications"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2535">2535</a> Domain Name System Security Extensions</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3225">3225</a> Indicating Resolver Support of DNSSEC</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3226">3226</a> DNSSEC and IPv6 A6 Aware Server/Resolver Message Size Requirements</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3833">3833</a> A Threat Analysis of the Domain Name System</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4033">4033</a> DNS Security Introduction and Requirements (<i>DNSSEC-bis</i>)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4034">4034</a> Resource Records for the DNS Security Extensions (<i>DNSSEC-bis</i>)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4035">4035</a> Protocol Modifications for the DNS Security Extensions (<i>DNSSEC-bis</i>)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4398">4398</a> Storing Certificates in the Domain Name System (DNS)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4431">4431</a> The DNSSEC Lookaside Validation (DLV) DNS Resource Record</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4470">4470</a> Minimally Covering NSEC Records and DNSSEC On-line Signing</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4509">4509</a> Use of SHA-256 in DNSSEC Delegation Signer (DS) Resource Records (RRs)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4641">4641</a> DNSSEC Operational Practices</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4955">4955</a> DNS Security (DNSSEC) Experiments</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5011">5011</a> Automated Updates of DNS Security (DNSSEC) Trust Anchors</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5155">5155</a> DNSSEC Hashed Authenticated Denial of Existence</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5702">5702</a> Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6014">6014</a> Cryptographic Algorithm Identifier Allocation for DNSSEC</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6605">6605</a> Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6725">6725</a> DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6781">6781</a> DNSSEC Operational Practices, Version 2</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6840">6840</a> Clarifications and Implementation Notes for DNS Security (DNSSEC)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6975">6975</a> Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7129">7129</a> Authenticated Denial of Existence in the DNS</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7344">7344</a> Automating DNSSEC Delegation Trust Maintenance</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7583">7583</a> DNSSEC Key Rollover Timing Considerations</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc8078">8078</a> Managing DS Records from the Parent via CDS/CDNSKEY</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc8080">8080</a> Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc8198">8198</a> Aggressive Use of DNSSEC-Validated Cache</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc8624">8624</a> Algorithm Implementation Requirements and Usage Guidance for DNSSEC</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc8749">8749</a> Moving DNSSEC Lookaside Validation (DLV) to Historic Status</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc9077">9077</a> NSEC and NSEC3: TTLs and Aggressive Use</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc9157">9157</a> Revised IANA Considerations for DNSSEC</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc9276">9276</a> Guidance for NSEC3 Parameter Settings</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><a href="/wiki/RFC_(identifier)" class="mw-redirect" title="RFC (identifier)">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc9364">9364</a> (<a href="/wiki/Request_for_Comments#Best_Current_Practice" title="Request for Comments">BCP</a> 237) DNS Security Extensions</li></ul> <div class="mw-heading mw-heading2"><h2 id="Tools">Tools</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=29" title="Edit section: Tools"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>DNSSEC deployment requires software on the server and client side. Some of the tools that support DNSSEC include: </p> <ul><li><a href="/wiki/Windows_7" title="Windows 7">Windows 7</a> and <a href="/wiki/Windows_Server_2008" title="Windows Server 2008">Windows Server 2008 R2</a> include a "security-aware" stub resolver that is able to differentiate between secure and non-secure responses by a recursive name server. Windows Server 2012 DNSSEC is compatible with secure dynamic updates with Active Directory-integrated zones, plus Active Directory replication of anchor keys to other such servers.<sup id="cite_ref-port53_82-0" class="reference"><a href="#cite_note-port53-82"><span class="cite-bracket">[</span>82<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-83" class="reference"><a href="#cite_note-83"><span class="cite-bracket">[</span>83<span class="cite-bracket">]</span></a></sup></li> <li><a href="/wiki/BIND" title="BIND">BIND</a>, the most popular DNS name server (which includes <a href="/wiki/Domain_Information_Groper" class="mw-redirect" title="Domain Information Groper">dig</a>), incorporates the newer <i>DNSSEC-bis</i> (DS records) protocol as well as support for NSEC3 records.</li> <li><a href="/wiki/Unbound_(DNS_server)" title="Unbound (DNS server)">Unbound</a> is a DNS name server that was written from the ground up to be designed around DNSSEC concepts.</li> <li><a href="/wiki/MysqlBind" title="MysqlBind">mysqlBind</a>, the GPL <a href="/wiki/DNS_management_software" title="DNS management software">DNS management software</a> for DNS ASPs, now supports DNSSEC.</li> <li><a href="/wiki/OpenDNSSEC" title="OpenDNSSEC">OpenDNSSEC</a> is a designated DNSSEC signer tool using <a href="/wiki/PKCS11" class="mw-redirect" title="PKCS11">PKCS#11</a> to interface with <a href="/wiki/Hardware_security_module" title="Hardware security module">hardware security modules</a>.</li> <li><a href="/wiki/Knot_DNS" title="Knot DNS">Knot DNS</a> has added support for automatic DNSSEC signing in version 1.4.0.</li> <li><a href="/wiki/PowerDNS" title="PowerDNS">PowerDNS</a> fully supports DNSSEC as of version 3.0 in pre-signed and live-signed modes.</li> <li><a href="/wiki/DNSSEC" class="mw-redirect" title="DNSSEC">DNSSEC</a>: <a rel="nofollow" class="external text" href="https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en">What is it and why is it important to implement it for a long time?</a> — <a rel="nofollow" class="external text" href="https://en.internet.nl/connection/">Check it</a> <a rel="nofollow" class="external text" href="https://en.internet.nl/">Initiative of the Internet community and the Dutch government</a></li></ul> <div class="mw-heading mw-heading2"><h2 id="See_also">See also</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=30" title="Edit section: See also"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/DNSCrypt" title="DNSCrypt">DNSCrypt</a></li> <li><a href="/wiki/DNSCurve" title="DNSCurve">DNSCurve</a></li> <li><a href="/wiki/Extension_Mechanisms_for_DNS" title="Extension Mechanisms for DNS">Extension Mechanisms for DNS (EDNS)</a></li> <li><a href="/wiki/TSIG" title="TSIG">TSIG</a></li> <li><a href="/wiki/Resource_Public_Key_Infrastructure" title="Resource Public Key Infrastructure">Resource Public Key Infrastructure (RPKI)</a></li></ul> <p><br /> </p> <div class="mw-heading mw-heading2"><h2 id="References">References</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=31" title="Edit section: References"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1239543626">.mw-parser-output .reflist{margin-bottom:0.5em;list-style-type:decimal}@media screen{.mw-parser-output .reflist{font-size:90%}}.mw-parser-output .reflist .references{font-size:100%;margin-bottom:0;list-style-type:inherit}.mw-parser-output .reflist-columns-2{column-width:30em}.mw-parser-output .reflist-columns-3{column-width:25em}.mw-parser-output .reflist-columns{margin-top:0.3em}.mw-parser-output .reflist-columns ol{margin-top:0}.mw-parser-output .reflist-columns li{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .reflist-upper-alpha{list-style-type:upper-alpha}.mw-parser-output .reflist-upper-roman{list-style-type:upper-roman}.mw-parser-output .reflist-lower-alpha{list-style-type:lower-alpha}.mw-parser-output .reflist-lower-greek{list-style-type:lower-greek}.mw-parser-output .reflist-lower-roman{list-style-type:lower-roman}</style><div class="reflist reflist-columns references-column-width" style="column-width: 30em;"> <ol class="references"> <li id="cite_note-1"><span class="mw-cite-backlink"><b><a href="#cite_ref-1">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFHerzbergShulman2014" class="citation cs1">Herzberg, Amir; Shulman, Haya (2014). <a rel="nofollow" class="external text" href="https://ieeexplore.ieee.org/document/6756846">"Retrofitting Security into Network Protocols: The Case of DNSSEC"</a>. <i>IEEE Internet Computing</i>. <b>18</b> (1). pp. 66–71. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1109%2FMIC.2014.14">10.1109/MIC.2014.14</a>. <a href="/wiki/ISSN_(identifier)" class="mw-redirect" title="ISSN (identifier)">ISSN</a> <a rel="nofollow" class="external text" href="https://search.worldcat.org/issn/1089-7801">1089-7801</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:12230888">12230888</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=IEEE+Internet+Computing&rft.atitle=Retrofitting+Security+into+Network+Protocols%3A+The+Case+of+DNSSEC&rft.volume=18&rft.issue=1&rft.pages=pp.-66-71&rft.date=2014&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A12230888%23id-name%3DS2CID&rft.issn=1089-7801&rft_id=info%3Adoi%2F10.1109%2FMIC.2014.14&rft.aulast=Herzberg&rft.aufirst=Amir&rft.au=Shulman%2C+Haya&rft_id=https%3A%2F%2Fieeexplore.ieee.org%2Fdocument%2F6756846&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-2"><span class="mw-cite-backlink"><b><a href="#cite_ref-2">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation cs1"><a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/rfc9460/"><i>Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRS)</i></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Service+binding+and+parameter+specification+via+the+DNS+%28DNS+SVCB+and+HTTPS+RRS%29&rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Frfc9460%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-3"><span class="mw-cite-backlink"><b><a href="#cite_ref-3">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation cs1"><a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/draft-ietf-tls-esni/"><i>TLS Encrypted Client Hello</i></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=TLS+Encrypted+Client+Hello&rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-tls-esni%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-4"><span class="mw-cite-backlink"><b><a href="#cite_ref-4">^</a></b></span> <span class="reference-text">Interview with Dan Kaminsky on DNSSEC (25 Jun 2009) <a rel="nofollow" class="external text" href="https://web.archive.org/web/20090628074022/http://searchsecurity.techtarget.com/news/interview/0,289202,sid14_gci1360143,00.html#">Kaminsky interview: DNSSEC addresses cross-organizational trust and security</a></span> </li> <li id="cite_note-5"><span class="mw-cite-backlink"><b><a href="#cite_ref-5">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml">"Domain Name System Security (DNSSEC) Algorithm Numbers"</a>. <a href="/wiki/Internet_Assigned_Numbers_Authority" title="Internet Assigned Numbers Authority">IANA</a>. 2010-07-12<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-07-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Domain+Name+System+Security+%28DNSSEC%29+Algorithm+Numbers&rft.pub=IANA&rft.date=2010-07-12&rft_id=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fdns-sec-alg-numbers%2Fdns-sec-alg-numbers.xhtml&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-windows-understanding-6"><span class="mw-cite-backlink">^ <a href="#cite_ref-windows-understanding_6-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-windows-understanding_6-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx">"Understanding DNSSEC in Windows"</a>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a>. October 7, 2009. <q>The Windows DNS client is a stub resolver...</q></cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Understanding+DNSSEC+in+Windows&rft.pub=Microsoft&rft.date=2009-10-07&rft_id=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fee649277%28WS.10%29.aspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-windows-dnssec-7"><span class="mw-cite-backlink">^ <a href="#cite_ref-windows-dnssec_7-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-windows-dnssec_7-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://technet.microsoft.com/en-us/library/ee683904(WS.10).aspx">"DNS Security Extensions (DNSSEC)"</a>. <a href="/wiki/Microsoft" title="Microsoft">Microsoft</a>. October 21, 2009. <q>The DNS client in Windows Server 2008 R2 and Windows® 7 is a non-validating security-aware stub resolver.</q></cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=DNS+Security+Extensions+%28DNSSEC%29&rft.pub=Microsoft&rft.date=2009-10-21&rft_id=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fee683904%28WS.10%29.aspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-8"><span class="mw-cite-backlink"><b><a href="#cite_ref-8">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.iana.org/dnssec/archive">"Root DNSSEC"</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Root+DNSSEC&rft_id=https%3A%2F%2Fwww.iana.org%2Fdnssec%2Farchive&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-9"><span class="mw-cite-backlink"><b><a href="#cite_ref-9">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.v3.co.uk/v3-uk/news/2039287/verisign-adds-dnssec-com-domain-boost-online-security/">"Computing - the UK's leading source for the analysis of business technology"</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Computing+-+the+UK%27s+leading+source+for+the+analysis+of+business+technology&rft_id=http%3A%2F%2Fwww.v3.co.uk%2Fv3-uk%2Fnews%2F2039287%2Fverisign-adds-dnssec-com-domain-boost-online-security%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-rfc4033_section7-10"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc4033_section7_10-0">^</a></b></span> <span class="reference-text"> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFRoseLarsonMasseyAustein2005" class="citation cs1">Rose, Scott; Larson, Matt; Massey, Dan; Austein, Rob; Arends, Roy (March 2005). <a rel="nofollow" class="external text" href="http://tools.ietf.org/html/rfc4033#section-7#page-11"><i>RFC 4033: DNS Security Introduction and Requirements</i></a>. <a href="/wiki/The_Internet_Society" class="mw-redirect" title="The Internet Society">The Internet Society</a>. p. 11. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4033">10.17487/RFC4033</a>. <q>Stub resolvers, by definition, are minimal DNS resolvers that use recursive query mode to offload most of the work of DNS resolution to a recursive name server.</q></cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=RFC+4033%3A+DNS+Security+Introduction+and+Requirements&rft.pages=p.-11&rft.pub=The+Internet+Society&rft.date=2005-03&rft_id=info%3Adoi%2F10.17487%2FRFC4033&rft.aulast=Rose&rft.aufirst=Scott&rft.au=Larson%2C+Matt&rft.au=Massey%2C+Dan&rft.au=Austein%2C+Rob&rft.au=Arends%2C+Roy&rft_id=http%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc4033%23section-7%26%23035%3Bpage-11&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span> An earlier definition was given in an earlier RFC: <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFRobert_Braden1989" class="citation cs1">Robert Braden (October 1989). Braden, R. (ed.). <a rel="nofollow" class="external text" href="http://tools.ietf.org/html/rfc1123#page-74#page-74"><i>RFC 1123 - Requirements for Internet Hosts -- Application and Support</i></a>. IETF (<a href="/wiki/Internet_Engineering_Task_Force" title="Internet Engineering Task Force">Internet Engineering Task Force</a>). p. 74. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC1123">10.17487/RFC1123</a>. <q>A "stub resolver" relies on the services of a recursive name server [...]</q></cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=RFC+1123+-+Requirements+for+Internet+Hosts+--+Application+and+Support&rft.pages=p.-74&rft.pub=IETF+%28Internet+Engineering+Task+Force%29&rft.date=1989-10&rft_id=info%3Adoi%2F10.17487%2FRFC1123&rft.au=Robert+Braden&rft_id=http%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc1123%23page-74%26%23035%3Bpage-74&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-rfc4033_p12-11"><span class="mw-cite-backlink">^ <a href="#cite_ref-rfc4033_p12_11-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-rfc4033_p12_11-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-rfc4033_p12_11-2"><sup><i><b>c</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFRoseLarsonMasseyAustein2005" class="citation cs1">Rose, Scott; Larson, Matt; Massey, Dan; Austein, Rob; Arends, Roy (March 2005). <a rel="nofollow" class="external text" href="http://tools.ietf.org/html/rfc4033#page-12#page-12"><i>RFC 4033: DNS Security Introduction and Requirements</i></a>. <a href="/wiki/The_Internet_Society" class="mw-redirect" title="The Internet Society">The Internet Society</a>. p. 12. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4033">10.17487/RFC4033</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=RFC+4033%3A+DNS+Security+Introduction+and+Requirements&rft.pages=p.-12&rft.pub=The+Internet+Society&rft.date=2005-03&rft_id=info%3Adoi%2F10.17487%2FRFC4033&rft.aulast=Rose&rft.aufirst=Scott&rft.au=Larson%2C+Matt&rft.au=Massey%2C+Dan&rft.au=Austein%2C+Rob&rft.au=Arends%2C+Roy&rft_id=http%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc4033%23page-12%26%23035%3Bpage-12&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-practical-ipsec-12"><span class="mw-cite-backlink"><b><a href="#cite_ref-practical-ipsec_12-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMuñoz_MerinoGarcía-MartínezOrganeroKloos2006" class="citation book cs1">Muñoz Merino, Pedro J.; García-Martínez, Alberto; Organero, Mario Muñoz; Kloos, Carlos Delgado (2006). Meersman, Robert; Tari, Zahir; Herrero, Herrero Martín (eds.). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20120426065241/http://netcom.it.uc3m.es/publications/pdf/2006/fulltext.pdf"><i>Enabling Practical IPsec Authentication for the Internet</i></a> <span class="cs1-format">(PDF)</span>. On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops. Vol. 1. <a href="/wiki/Springer_Science%2BBusiness_Media" title="Springer Science+Business Media">Springer</a>. Archived from <a rel="nofollow" class="external text" href="http://netcom.it.uc3m.es/publications/pdf/2006/fulltext.pdf">the original</a> <span class="cs1-format">(PDF)</span> on 2012-04-26.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Enabling+Practical+IPsec+Authentication+for+the+Internet&rft.series=On+the+Move+to+Meaningful+Internet+Systems+2006%3A+OTM+2006+Workshops&rft.pub=Springer&rft.date=2006&rft.aulast=Mu%C3%B1oz+Merino&rft.aufirst=Pedro+J.&rft.au=Garc%C3%ADa-Mart%C3%ADnez%2C+Alberto&rft.au=Organero%2C+Mario+Mu%C3%B1oz&rft.au=Kloos%2C+Carlos+Delgado&rft_id=http%3A%2F%2Fnetcom.it.uc3m.es%2Fpublications%2Fpdf%2F2006%2Ffulltext.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-13"><span class="mw-cite-backlink"><b><a href="#cite_ref-13">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://data.iana.org/root-anchors/">root-anchors</a></span> </li> <li id="cite_note-14"><span class="mw-cite-backlink"><b><a href="#cite_ref-14">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFUbbink" class="citation web cs1">Ubbink, Stefan. <a rel="nofollow" class="external text" href="https://www.sidn.nl/en/news-and-blogs/new-dnssec-algorithm-for-nl">"New DNSSEC algorithm for .nl"</a>. <i>www.sidn.nl</i><span class="reference-accessdate">. Retrieved <span class="nowrap">29 January</span> 2024</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.sidn.nl&rft.atitle=New+DNSSEC+algorithm+for+.nl&rft.aulast=Ubbink&rft.aufirst=Stefan&rft_id=https%3A%2F%2Fwww.sidn.nl%2Fen%2Fnews-and-blogs%2Fnew-dnssec-algorithm-for-nl&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-15"><span class="mw-cite-backlink"><b><a href="#cite_ref-15">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFWessels2023" class="citation web cs1">Wessels, Duane (10 August 2023). <a rel="nofollow" class="external text" href="https://blog.verisign.com/security/dnssec-algorithm-update/">"Verisign Will Help Strengthen Security with DNSSEC Algorithm Update"</a>. <i>Verisign Blog</i><span class="reference-accessdate">. Retrieved <span class="nowrap">29 January</span> 2024</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Verisign+Blog&rft.atitle=Verisign+Will+Help+Strengthen+Security+with+DNSSEC+Algorithm+Update&rft.date=2023-08-10&rft.aulast=Wessels&rft.aufirst=Duane&rft_id=https%3A%2F%2Fblog.verisign.com%2Fsecurity%2Fdnssec-algorithm-update%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-16"><span class="mw-cite-backlink"><b><a href="#cite_ref-16">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFWessels" class="citation web cs1">Wessels, Duane. <a rel="nofollow" class="external text" href="https://indico.dns-oarc.net/event/47/contributions/1012/">"Transitioning Verisign's TLDs to Elliptic Curve DNSSEC"</a>. <i>DNS-OARC</i><span class="reference-accessdate">. Retrieved <span class="nowrap">29 January</span> 2024</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=DNS-OARC&rft.atitle=Transitioning+Verisign%27s+TLDs+to+Elliptic+Curve+DNSSEC&rft.aulast=Wessels&rft.aufirst=Duane&rft_id=https%3A%2F%2Findico.dns-oarc.net%2Fevent%2F47%2Fcontributions%2F1012%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-17"><span class="mw-cite-backlink"><b><a href="#cite_ref-17">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.icann.org/resources/pages/ksk-algorithm-rollover-en">"Root Zone KSK Algorithm Rollover - ICANN"</a>. <i>www.icann.org</i><span class="reference-accessdate">. Retrieved <span class="nowrap">29 January</span> 2024</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.icann.org&rft.atitle=Root+Zone+KSK+Algorithm+Rollover+-+ICANN&rft_id=https%3A%2F%2Fwww.icann.org%2Fresources%2Fpages%2Fksk-algorithm-rollover-en&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-18"><span class="mw-cite-backlink"><b><a href="#cite_ref-18">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://datatracker.ietf.org/wg/dane/charter/">IETF: DNS-based Authentication of Named Entities (dane)</a></span> </li> <li id="cite_note-19"><span class="mw-cite-backlink"><b><a href="#cite_ref-19">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.imperialviolet.org/2011/06/16/dnssecchrome.html">"ImperialViolet"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2011-11-26</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=ImperialViolet&rft_id=http%3A%2F%2Fwww.imperialviolet.org%2F2011%2F06%2F16%2Fdnssecchrome.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-20"><span class="mw-cite-backlink"><b><a href="#cite_ref-20">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://git.chromium.org/gitweb/?p=chromium/chromium.git;a=commit;h=6a7172345e72d755d99c095eb3d4768f0f585344">"chromium git"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2013-03-09</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=chromium+git&rft_id=https%3A%2F%2Fgit.chromium.org%2Fgitweb%2F%3Fp%3Dchromium%2Fchromium.git%3Ba%3Dcommit%3Bh%3D6a7172345e72d755d99c095eb3d4768f0f585344&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-21"><span class="mw-cite-backlink"><b><a href="#cite_ref-21">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.dnssec-validator.cz/">"DNSSEC/TLSA Validator"</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=DNSSEC%2FTLSA+Validator&rft_id=https%3A%2F%2Fwww.dnssec-validator.cz%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-22"><span class="mw-cite-backlink"><b><a href="#cite_ref-22">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://bugzilla.mozilla.org/show_bug.cgi?id=672600">Bugzilla@Mozilla: Bug 672600 - Use DNSSEC/DANE chain stapled into TLS handshake in certificate chain validation</a></span> </li> <li id="cite_note-23"><span class="mw-cite-backlink"><b><a href="#cite_ref-23">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://citeseer.ist.psu.edu/bellovin95using.html">"Using the Domain Name System for System Break-Ins"</a> by Steve Bellovin, 1995</span> </li> <li id="cite_note-24"><span class="mw-cite-backlink"><b><a href="#cite_ref-24">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFElias_HeftrigHaya_SchulmannNiklas_VogelMichael_Waidne" class="citation web cs1">Elias Heftrig; Haya Schulmann; Niklas Vogel; Michael Waidne. <a rel="nofollow" class="external text" href="https://www.athene-center.de/fileadmin/content/PDF/Keytrap_2401.pdf">"The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNS Version: January 2024"</a> <span class="cs1-format">(PDF)</span>. <i>ATHENE</i>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=ATHENE&rft.atitle=The+KeyTrap+Denial-of-Service+Algorithmic+Complexity+Attacks+on+DNS+Version%3A+January+2024&rft.au=Elias+Heftrig&rft.au=Haya+Schulmann&rft.au=Niklas+Vogel&rft.au=Michael+Waidne&rft_id=https%3A%2F%2Fwww.athene-center.de%2Ffileadmin%2Fcontent%2FPDF%2FKeytrap_2401.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span> (<a rel="nofollow" class="external text" href="https://www.athene-center.de/en/keytrap">press release</a>)</span> </li> <li id="cite_note-25"><span class="mw-cite-backlink"><b><a href="#cite_ref-25">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.cs.bu.edu/~goldbe/papers/nsec5.html">"NSEC5: Provably Preventing DNSSEC Zone Enumeration"</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=NSEC5%3A+Provably+Preventing+DNSSEC+Zone+Enumeration&rft_id=https%3A%2F%2Fwww.cs.bu.edu%2F~goldbe%2Fpapers%2Fnsec5.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-26"><span class="mw-cite-backlink"><b><a href="#cite_ref-26">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation cs1"><a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7129"><i>Authenticated Denial of Existence in the DNS</i></a>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC7129">10.17487/RFC7129</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7129">7129</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Authenticated+Denial+of+Existence+in+the+DNS&rft_id=info%3Adoi%2F10.17487%2FRFC7129&rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7129&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-cloudflare_black_lies-27"><span class="mw-cite-backlink">^ <a href="#cite_ref-cloudflare_black_lies_27-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-cloudflare_black_lies_27-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://blog.cloudflare.com/black-lies/">"Economical With The Truth: Making DNSSEC Answers Cheap"</a>. 2016-06-24.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Economical+With+The+Truth%3A+Making+DNSSEC+Answers+Cheap&rft.date=2016-06-24&rft_id=https%3A%2F%2Fblog.cloudflare.com%2Fblack-lies%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-28"><span class="mw-cite-backlink"><b><a href="#cite_ref-28">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation cs1"><a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/draft-valsorda-dnsop-black-lies#section-2">"Black Lies"</a>. <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/draft-valsorda-dnsop-black-lies"><i>Compact DNSSEC Denial of Existence or Black Lies</i></a>. sec. 2. I-D draft-valsorda-dnsop-black-lies.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.atitle=Black+Lies&rft.btitle=Compact+DNSSEC+Denial+of+Existence+or+Black+Lies&rft.pages=sec.-2&rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-valsorda-dnsop-black-lies%26%23035%3Bsection-2&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-29"><span class="mw-cite-backlink"><b><a href="#cite_ref-29">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://blog.cloudflare.com/dnssec-done-right/">"DNSSEC Done Right"</a>. 2015-01-29.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=DNSSEC+Done+Right&rft.date=2015-01-29&rft_id=https%3A%2F%2Fblog.cloudflare.com%2Fdnssec-done-right%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-30"><span class="mw-cite-backlink"><b><a href="#cite_ref-30">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf">U.S. <i>National Strategy to Secure Cyberspace</i></a>, p. 30 February 2003</span> </li> <li id="cite_note-31"><span class="mw-cite-backlink"><b><a href="#cite_ref-31">^</a></b></span> <span class="reference-text"> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMetzger,_PerryWilliam_Allen_SimpsonPaul_Vixie" class="citation web cs1">Metzger, Perry; William Allen Simpson & Paul Vixie. <a rel="nofollow" class="external text" href="http://www.usenix.org/publications/login/2009-12/openpdfs/metzger.pdf">"Improving TCP security with robust cookies"</a> <span class="cs1-format">(PDF)</span>. <i>Usenix</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2009-12-17</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Usenix&rft.atitle=Improving+TCP+security+with+robust+cookies&rft.au=Metzger%2C+Perry&rft.au=William+Allen+Simpson&rft.au=Paul+Vixie&rft_id=http%3A%2F%2Fwww.usenix.org%2Fpublications%2Flogin%2F2009-12%2Fopenpdfs%2Fmetzger.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-32"><span class="mw-cite-backlink"><b><a href="#cite_ref-32">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external free" href="https://ccnso.icann.org/de/node/7603">https://ccnso.icann.org/de/node/7603</a> <sup class="noprint Inline-Template" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:Bare_URLs" title="Wikipedia:Bare URLs"><span title="A full citation of this PDF document is required to prevent link rot. (March 2022)">bare URL PDF</span></a></i>]</sup></span> </li> <li id="cite_note-EPIC-20080527-33"><span class="mw-cite-backlink"><b><a href="#cite_ref-EPIC-20080527_33-0">^</a></b></span> <span class="reference-text">Electronic Privacy Information Center (EPIC) (May 27, 2008). <a rel="nofollow" class="external text" href="https://epic.org/privacy/dnssec/">DNSSEC</a></span> </li> <li id="cite_note-34"><span class="mw-cite-backlink"><b><a href="#cite_ref-34">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.ripe.net/docs/ripe-359.html">RIPE NCC DNSSEC Policy</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20071022171800/http://www.ripe.net/docs/ripe-359.html">Archived</a> October 22, 2007, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-35"><span class="mw-cite-backlink"><b><a href="#cite_ref-35">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://www.arin.net/resources/dnssec/">ARIN DNSSEC Deployment Plan</a></span> </li> <li id="cite_note-36"><span class="mw-cite-backlink"><b><a href="#cite_ref-36">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFEklund-Löwinder2012" class="citation web cs1">Eklund-Löwinder, Anne-Marie (12 February 2012). <a rel="nofollow" class="external text" href="https://www.ripe.net/ripe/mail/archives/dns-wg/2007-February/001917.html">"[dns-wg] Swedish ISP TCD Song Adopts DNSSEC"</a>. <i>dns-wg mailing list</i>. RIPE NCC<span class="reference-accessdate">. Retrieved <span class="nowrap">2 December</span> 2012</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=dns-wg+mailing+list&rft.atitle=%5Bdns-wg%5D+Swedish+ISP+TCD+Song+Adopts+DNSSEC&rft.date=2012-02-12&rft.aulast=Eklund-L%C3%B6winder&rft.aufirst=Anne-Marie&rft_id=https%3A%2F%2Fwww.ripe.net%2Fripe%2Fmail%2Farchives%2Fdns-wg%2F2007-February%2F001917.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-37"><span class="mw-cite-backlink"><b><a href="#cite_ref-37">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.ripe.net/ripe/maillists/archives/dns-wg/2006/msg00053.html">dns-wg archive: Signed zones list</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20070305102531/http://www.ripe.net/ripe/maillists/archives/dns-wg/2006/msg00053.html">Archived</a> March 5, 2007, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-38"><span class="mw-cite-backlink"><b><a href="#cite_ref-38">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://www.isc.org/node/62">ISC Launches DLV registry to kick off worldwide DNSSEC deployment</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20081118020616/https://www.isc.org/node/62">Archived</a> November 18, 2008, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-39"><span class="mw-cite-backlink"><b><a href="#cite_ref-39">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://itar.iana.org/">Interim Trust Anchor Repository</a></span> </li> <li id="cite_note-40"><span class="mw-cite-backlink"><b><a href="#cite_ref-40">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://pir.org/index.php?db=content/News&tbl=Press&id=25">.ORG is the first open TLD signed with DNSSEC</a></span> </li> <li id="cite_note-41"><span class="mw-cite-backlink"><b><a href="#cite_ref-41">^</a></b></span> <span class="reference-text"> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFSean_Michael_Kerner" class="citation web cs1">Sean Michael Kerner. <a rel="nofollow" class="external text" href="http://www.internetnews.com/security/article.php/3774131">".ORG the Most Secure Domain?"</a>. <i>internetnews.com</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2008-09-27</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=internetnews.com&rft.atitle=.ORG+the+Most+Secure+Domain%3F&rft.au=Sean+Michael+Kerner&rft_id=http%3A%2F%2Fwww.internetnews.com%2Fsecurity%2Farticle.php%2F3774131&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-42"><span class="mw-cite-backlink"><b><a href="#cite_ref-42">^</a></b></span> <span class="reference-text"> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.pir.org/get/registrars?order=field_dnssec_value&sort=desc">".ORG Registrar List — with DNSSEC enabled at the top"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2010-06-23</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=.ORG+Registrar+List+%E2%80%94+with+DNSSEC+enabled+at+the+top&rft_id=http%3A%2F%2Fwww.pir.org%2Fget%2Fregistrars%3Forder%3Dfield_dnssec_value%26sort%3Ddesc&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-43"><span class="mw-cite-backlink"><b><a href="#cite_ref-43">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.networkworld.com/news/2009/022409-verisign-dns-security.html?page=1">VeriSign: We will support DNS security in 2011</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20090303103411/http://www.networkworld.com/news/2009/022409-verisign-dns-security.html?page=1">Archived</a> March 3, 2009, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-44"><span class="mw-cite-backlink"><b><a href="#cite_ref-44">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20091119200931/http://news.zdnet.co.uk/security/0,1000000189,39877966,00.htm">"VeriSign: Major internet security update by 2011"</a>. Archived from <a rel="nofollow" class="external text" href="http://news.zdnet.co.uk/security/0,1000000189,39877966,00.htm">the original</a> on 2009-11-19<span class="reference-accessdate">. Retrieved <span class="nowrap">2009-11-18</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=VeriSign%3A+Major+internet+security+update+by+2011&rft_id=http%3A%2F%2Fnews.zdnet.co.uk%2Fsecurity%2F0%2C1000000189%2C39877966%2C00.htm&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-45"><span class="mw-cite-backlink"><b><a href="#cite_ref-45">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://archive.today/20130123041030/http://www.esecurityplanet.com/features/article.php/3929786/com-Domain-Finally-Safe.htm">.com Domain Finally Safe</a></span> </li> <li id="cite_note-46"><span class="mw-cite-backlink"><b><a href="#cite_ref-46">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.circleid.com/posts/20110601_verisign_matt_larson_wins_2011_infoworld_technology_leadership/">Verisign's Matt Larson Wins 2011 InfoWorld Technology Leadership Award</a></span> </li> <li id="cite_note-47"><span class="mw-cite-backlink"><b><a href="#cite_ref-47">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.infoworld.com/t/information-technology-careers/the-infoworld-2011-technology-leadership-awards-959">The InfoWorld 2011 Technology Leadership Awards</a></span> </li> <li id="cite_note-dnssec-status-live-48"><span class="mw-cite-backlink">^ <a href="#cite_ref-dnssec-status-live_48-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-dnssec-status-live_48-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.iana.org/dnssec/archive">"DNSSEC Project Archive"</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=DNSSEC+Project+Archive&rft_id=https%3A%2F%2Fwww.iana.org%2Fdnssec%2Farchive&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-49"><span class="mw-cite-backlink"><b><a href="#cite_ref-49">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFSingel,_Ryan2006" class="citation news cs1">Singel, Ryan (October 8, 2006). <a rel="nofollow" class="external text" href="http://blog.wired.com/27bstroke6/2008/10/feds-take-step.html">"Feds Start Moving on Net Security Hole"</a>. <i>Wired News</i>. CondéNet<span class="reference-accessdate">. Retrieved <span class="nowrap">2008-10-09</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Wired+News&rft.atitle=Feds+Start+Moving+on+Net+Security+Hole&rft.date=2006-10-08&rft.au=Singel%2C+Ryan&rft_id=http%3A%2F%2Fblog.wired.com%2F27bstroke6%2F2008%2F10%2Ffeds-take-step.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-50"><span class="mw-cite-backlink"><b><a href="#cite_ref-50">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation pressrelease cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20081013070057/http://www.ntia.doc.gov/press/2008/DNSSEC_081009.html">"Press Release: NTIA Seeks Public Comments for the Deployment of Security Technology Within the Internet Domain Name System"</a> (Press release). National Telecommunications and Information Administration, U.S. Department of Commerce. October 9, 2008. Archived from <a rel="nofollow" class="external text" href="http://www.ntia.doc.gov/press/2008/DNSSEC_081009.html">the original</a> on 2008-10-13<span class="reference-accessdate">. Retrieved <span class="nowrap">2008-10-09</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Press+Release%3A+NTIA+Seeks+Public+Comments+for+the+Deployment+of+Security+Technology+Within+the+Internet+Domain+Name+System&rft.pub=National+Telecommunications+and+Information+Administration%2C+U.S.+Department+of+Commerce&rft.date=2008-10-09&rft_id=http%3A%2F%2Fwww.ntia.doc.gov%2Fpress%2F2008%2FDNSSEC_081009.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-NISTpr609-51"><span class="mw-cite-backlink"><b><a href="#cite_ref-NISTpr609_51-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation pressrelease cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20110629074556/http://www.nist.gov/public_affairs/releases/dnssec_060309.html">"Commerce Department to Work with ICANN and VeriSign to Enhance the Security and Stability of the Internet's Domain Name and Addressing System"</a> (Press release). National Institute of Standards and Technology. 3 June 2009. Archived from <a rel="nofollow" class="external text" href="https://www.nist.gov/public_affairs/releases/dnssec_060309.html">the original</a> on 29 June 2011<span class="reference-accessdate">. Retrieved <span class="nowrap">13 July</span> 2017</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Commerce+Department+to+Work+with+ICANN+and+VeriSign+to+Enhance+the+Security+and+Stability+of+the+Internet%27s+Domain+Name+and+Addressing+System&rft.pub=National+Institute+of+Standards+and+Technology&rft.date=2009-06-03&rft_id=https%3A%2F%2Fwww.nist.gov%2Fpublic_affairs%2Freleases%2Fdnssec_060309.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-conf-52"><span class="mw-cite-backlink">^ <a href="#cite_ref-conf_52-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-conf_52-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.ripe.net/ripe/meetings/ripe-59/presentations/abley-dnssec-root-zone.pdf">"DNSSEC for the Root Zone"</a> <span class="cs1-format">(PDF)</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=DNSSEC+for+the+Root+Zone&rft_id=http%3A%2F%2Fwww.ripe.net%2Fripe%2Fmeetings%2Fripe-59%2Fpresentations%2Fabley-dnssec-root-zone.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-last-puzzle-pieces-53"><span class="mw-cite-backlink">^ <a href="#cite_ref-last-puzzle-pieces_53-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-last-puzzle-pieces_53-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFHutchinson2010" class="citation web cs1">Hutchinson, James (6 May 2010). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20131220202008/http://www.networkworld.com/news/2010/050610-icann-verisign-place-last-puzzle.html?hpg1=bn">"ICANN, Verisign place last puzzle pieces in DNSSEC saga"</a>. <i>NetworkWorld</i>. Archived from <a rel="nofollow" class="external text" href="http://www.networkworld.com/news/2010/050610-icann-verisign-place-last-puzzle.html?hpg1=bn">the original</a> on 20 December 2013<span class="reference-accessdate">. Retrieved <span class="nowrap">17 May</span> 2010</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=NetworkWorld&rft.atitle=ICANN%2C+Verisign+place+last+puzzle+pieces+in+DNSSEC+saga&rft.date=2010-05-06&rft.aulast=Hutchinson&rft.aufirst=James&rft_id=http%3A%2F%2Fwww.networkworld.com%2Fnews%2F2010%2F050610-icann-verisign-place-last-puzzle.html%3Fhpg1%3Dbn&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-54"><span class="mw-cite-backlink"><b><a href="#cite_ref-54">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20100315143451/http://www.thetechherald.com/article.php/201010/5366/DNSSEC-to-become-standard-on-ORG-domains-by-end-of-June">"DNSSEC to become standard on .ORG domains by end of June"</a>. Archived from <a rel="nofollow" class="external text" href="http://www.thetechherald.com/article.php/201010/5366/DNSSEC-to-become-standard-on-ORG-domains-by-end-of-June">the original</a> on 2010-03-15<span class="reference-accessdate">. Retrieved <span class="nowrap">2010-03-24</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=DNSSEC+to+become+standard+on+.ORG+domains+by+end+of+June&rft_id=http%3A%2F%2Fwww.thetechherald.com%2Farticle.php%2F201010%2F5366%2FDNSSEC-to-become-standard-on-ORG-domains-by-end-of-June&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-55"><span class="mw-cite-backlink"><b><a href="#cite_ref-55">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20110404225604/http://www.theinquirer.net/inquirer/news/2039648/verisign-deploys-dnssec-com-tld">The Inquirer: Verisign deploys DNSSEC on .com TLD</a></span> </li> <li id="cite_note-heise-56"><span class="mw-cite-backlink"><b><a href="#cite_ref-heise_56-0">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.h-online.com/security/news/item/More-security-for-root-DNS-servers-962569.html">More security for root DNS servers</a> Heise Online, 24 March 2010</span> </li> <li id="cite_note-57"><span class="mw-cite-backlink"><b><a href="#cite_ref-57">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.circleid.com/posts/20111130_dnssec_update_from_icann_42_in_dakar/">CircleID: DNSSEC Update from ICANN 42 in Dakar</a></span> </li> <li id="cite_note-58"><span class="mw-cite-backlink"><b><a href="#cite_ref-58">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://www.isc.org/news-article/isc-launches-dlv-registry-kick-worldwide-dnssec-deployment">ISC Launches DLV registry to kick off worldwide DNSSEC deployment</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20110614123636/https://www.isc.org/news-article/isc-launches-dlv-registry-kick-worldwide-dnssec-deployment">Archived</a> June 14, 2011, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></span> </li> <li id="cite_note-59"><span class="mw-cite-backlink"><b><a href="#cite_ref-59">^</a></b></span> <span class="reference-text">RFC 5011, "Automated Updates of DNS Security (DNSSEC) Trust Anchors"</span> </li> <li id="cite_note-60"><span class="mw-cite-backlink"><b><a href="#cite_ref-60">^</a></b></span> <span class="reference-text">RFC 4431, "The DNSSEC Lookaside Validation (DLV) DNS Resource Record"</span> </li> <li id="cite_note-61"><span class="mw-cite-backlink"><b><a href="#cite_ref-61">^</a></b></span> <span class="reference-text">RFC 5074, "DNSSEC Lookaside Validation (DLV)"</span> </li> <li id="cite_note-62"><span class="mw-cite-backlink"><b><a href="#cite_ref-62">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.isc.org/blogs/dlv-replaced-with-signed-empty-zone/">"DLV Replaced With Signed Empty Zone - Internet Systems Consortium"</a>. <i>isc.org</i>. 30 September 2017<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-06-05</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=isc.org&rft.atitle=DLV+Replaced+With+Signed+Empty+Zone+-+Internet+Systems+Consortium&rft.date=2017-09-30&rft_id=https%3A%2F%2Fwww.isc.org%2Fblogs%2Fdlv-replaced-with-signed-empty-zone%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-63"><span class="mw-cite-backlink"><b><a href="#cite_ref-63">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.isc.org/blogs/bind9.16.0_released/">"BIND 9.16.0, Stable Branch for 2020 and Beyond - Internet Systems Consortium"</a>. <i>isc.org</i>. 20 February 2020<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-06-05</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=isc.org&rft.atitle=BIND+9.16.0%2C+Stable+Branch+for+2020+and+Beyond+-+Internet+Systems+Consortium&rft.date=2020-02-20&rft_id=https%3A%2F%2Fwww.isc.org%2Fblogs%2Fbind9.16.0_released%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-64"><span class="mw-cite-backlink"><b><a href="#cite_ref-64">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://nlnetlabs.nl/projects/unbound/download/#unbound-1-5-4">"Unbound 1.5.4 Changes"</a>. <i>NLnet Labs</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2020-06-05</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=NLnet+Labs&rft.atitle=Unbound+1.5.4+Changes&rft_id=https%3A%2F%2Fnlnetlabs.nl%2Fprojects%2Funbound%2Fdownload%2F%23unbound-1-5-4&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-65"><span class="mw-cite-backlink"><b><a href="#cite_ref-65">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMekkingMahoney2020" class="citation cs1"><a href="/w/index.php?title=W._(Matthijs)_Mekking&action=edit&redlink=1" class="new" title="W. (Matthijs) Mekking (page does not exist)">Mekking, W.</a>; <a href="/w/index.php?title=Dan_Mahoney_(computer_scientist)&action=edit&redlink=1" class="new" title="Dan Mahoney (computer scientist) (page does not exist)">Mahoney, D.</a> (March 2020). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc879"><i>Moving DNSSEC Lookaside Validation (DLV) to Historic Status</i></a>. <a href="/wiki/Internet_Engineering_Task_Force" title="Internet Engineering Task Force">IETF</a>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC8749">10.17487/RFC8749</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc879">879</a><span class="reference-accessdate">. Retrieved <span class="nowrap">3 June</span> 2020</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Moving+DNSSEC+Lookaside+Validation+%28DLV%29+to+Historic+Status&rft.pub=IETF&rft.date=2020-03&rft_id=info%3Adoi%2F10.17487%2FRFC8749&rft.aulast=Mekking&rft.aufirst=W.&rft.au=Mahoney%2C+D.&rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc879&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-66"><span class="mw-cite-backlink"><b><a href="#cite_ref-66">^</a></b></span> <span class="reference-text"><i><a rel="nofollow" class="external text" href="http://www.heise.de/english/newsticker/news/87655">Department of Homeland and Security wants master key for DNS</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20070406172122/http://www.heise.de/english/newsticker/news/87655">Archived</a> April 6, 2007, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a></i> <a href="/wiki/Heinz_Heise" class="mw-redirect" title="Heinz Heise">Heise</a> News, 30 March 2007</span> </li> <li id="cite_note-67"><span class="mw-cite-backlink"><b><a href="#cite_ref-67">^</a></b></span> <span class="reference-text"><i><a rel="nofollow" class="external text" href="http://www.upi.com/Security_Terrorism/Analysis/2007/04/12/analysis_owning_the_keys_to_the_internet/">Analysis: of Owning the keys to the Internet</a></i> <a href="/wiki/United_Press_International" title="United Press International">UPI</a>, April 21, 2007</span> </li> <li id="cite_note-68"><span class="mw-cite-backlink"><b><a href="#cite_ref-68">^</a></b></span> <span class="reference-text"><i><a rel="nofollow" class="external text" href="http://www.mail-archive.com/osint@yahoogroups.com/msg39697.html">UPI Analysis: Owning the keys to the Internet </a></i> March 24, 2011 - First link is dead, this is believed to be the same content</span> </li> <li id="cite_note-69"><span class="mw-cite-backlink"><b><a href="#cite_ref-69">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.dnssec-deployment.org/news/dnssecthismonth/200606-dnssecthismonth/">DNSSEC Deployment Initiative Newsletter - Volume 1, Number 2</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20071122021856/http://www.dnssec-deployment.org/news/dnssecthismonth/200606-dnssecthismonth/">Archived</a> November 22, 2007, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a>, June 2006</span> </li> <li id="cite_note-70"><span class="mw-cite-backlink"><b><a href="#cite_ref-70">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://obamawhitehouse.archives.gov/omb/memoranda/fy2008/m08-23.pdf">Memorandum For Chief Information Officers</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080916034802/http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf">Archived</a> 2008-09-16 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a> Executive Office Of The President — Office Of Management And Budget, 22 August 2008</span> </li> <li id="cite_note-71"><span class="mw-cite-backlink"><b><a href="#cite_ref-71">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.networkworld.com/news/2008/092208-government-web-security.html">Feds tighten security on .gov</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080925011755/http://www.networkworld.com/news/2008/092208-government-web-security.html">Archived</a> September 25, 2008, at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a> Network World, 22 September 2008</span> </li> <li id="cite_note-72"><span class="mw-cite-backlink"><b><a href="#cite_ref-72">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://blog.comcast.com/2010/10/dns-security-rollout-begins.html">Comcast Blog - DNS Security Rollout Begins</a>, October 18, 2010</span> </li> <li id="cite_note-73"><span class="mw-cite-backlink"><b><a href="#cite_ref-73">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.dnssec.comcast.net/dnssec-video.htm">Comcast DNSSEC Public Service Announcement Video</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20101021044129/http://www.dnssec.comcast.net/dnssec-video.htm">Archived</a> 2010-10-21 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a>, October 18, 2010</span> </li> <li id="cite_note-74"><span class="mw-cite-backlink"><b><a href="#cite_ref-74">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://blog.comcast.com/2012/01/comcast-completes-dnssec-deployment.html">Comcast Completes DNSSEC Deployment</a>, January 11, 2012</span> </li> <li id="cite_note-CircleID-75"><span class="mw-cite-backlink"><b><a href="#cite_ref-CircleID_75-0">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.circleid.com/posts/20130717_dns_dnssec_and_googles_public_dns_service/">Geoff Huston: DNS, DNSSEC and Google's Public DNS Service (CircleID)</a></span> </li> <li id="cite_note-Verisign-76"><span class="mw-cite-backlink"><b><a href="#cite_ref-Verisign_76-0">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://www.circleid.com/posts/20150929_verisign_public_dns_free_dns_service_respects_privacy/">Introducing Verisign Public DNS</a></span> </li> <li id="cite_note-XA-77"><span class="mw-cite-backlink"><b><a href="#cite_ref-XA_77-0">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="http://stats.labs.apnic.net/dnssec/XA">Use of DNSSEC Validation for World (XA)</a></span> </li> <li id="cite_note-78"><span class="mw-cite-backlink"><b><a href="#cite_ref-78">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://security.googleblog.com/2013/03/google-public-dns-now-supports-dnssec.html">Google Public DNS Now Supports DNSSEC Validation</a> Google Code Blog, 1 June 2013</span> </li> <li id="cite_note-79"><span class="mw-cite-backlink"><b><a href="#cite_ref-79">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.quad9.net/faq/">"Quad9 FAQ"</a>. <i>Quad9</i><span class="reference-accessdate">. Retrieved <span class="nowrap">July 7,</span> 2018</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Quad9&rft.atitle=Quad9+FAQ&rft_id=https%3A%2F%2Fwww.quad9.net%2Ffaq%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-80"><span class="mw-cite-backlink"><b><a href="#cite_ref-80">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694">"Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow"</a>. <i>TECHCOMMUNITY.MICROSOFT.COM</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2024-05-28</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=TECHCOMMUNITY.MICROSOFT.COM&rft.atitle=Implementing+Inbound+SMTP+DANE+with+DNSSEC+for+Exchange+Online+Mail+Flow&rft_id=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fimplementing-inbound-smtp-dane-with-dnssec-for-exchange-online%2Fba-p%2F3939694&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-81"><span class="mw-cite-backlink"><b><a href="#cite_ref-81">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFHuston2024" class="citation web cs1">Huston, Geoff (2024-05-28). <a rel="nofollow" class="external text" href="https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/">"Calling time on DNSSEC?"</a>. <i>APNIC Blog</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2024-05-28</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=APNIC+Blog&rft.atitle=Calling+time+on+DNSSEC%3F&rft.date=2024-05-28&rft.aulast=Huston&rft.aufirst=Geoff&rft_id=https%3A%2F%2Fblog.apnic.net%2F2024%2F05%2F28%2Fcalling-time-on-dnssec%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-port53-82"><span class="mw-cite-backlink"><b><a href="#cite_ref-port53_82-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFSeshadri2008" class="citation web cs1">Seshadri, Shyam (11 November 2008). <a rel="nofollow" class="external text" href="http://blogs.technet.com/sseshad/archive/2008/11/11/dnssec-on-windows-7-dns-client.aspx">"DNSSEC on Windows 7 DNS client"</a>. <i>Port 53</i>. Microsoft.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Port+53&rft.atitle=DNSSEC+on+Windows+7+DNS+client&rft.date=2008-11-11&rft.aulast=Seshadri&rft.aufirst=Shyam&rft_id=http%3A%2F%2Fblogs.technet.com%2Fsseshad%2Farchive%2F2008%2F11%2F11%2Fdnssec-on-windows-7-dns-client.aspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></span> </li> <li id="cite_note-83"><span class="mw-cite-backlink"><b><a href="#cite_ref-83">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://www.dns-oarc.net/files/workshop-2006/Microsoft-DNSSEC.pdf">DNSSEC in Windows Server</a></span> </li> </ol></div> <div class="mw-heading mw-heading2"><h2 id="Further_reading">Further reading</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=32" title="Edit section: Further reading"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFH._YangE._OsterweilD._MasseyS._Lu2010" class="citation cs1">H. Yang; E. Osterweil; D. Massey; S. Lu; <a href="/wiki/Lixia_Zhang" title="Lixia Zhang">L. Zhang</a> (8 April 2010). "Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC". <i>IEEE Transactions on Dependable and Secure Computing</i>. <b>8</b> (5). pp. 656–669. <a href="/wiki/CiteSeerX_(identifier)" class="mw-redirect" title="CiteSeerX (identifier)">CiteSeerX</a> <span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.158.1984">10.1.1.158.1984</a></span>. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1109%2FTDSC.2010.10">10.1109/TDSC.2010.10</a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a> <a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:14887477">14887477</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=IEEE+Transactions+on+Dependable+and+Secure+Computing&rft.atitle=Deploying+Cryptography+in+Internet-Scale+Systems%3A+A+Case+Study+on+DNSSEC&rft.volume=8&rft.issue=5&rft.pages=pp.-656-669&rft.date=2010-04-08&rft_id=https%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fsummary%3Fdoi%3D10.1.1.158.1984%23id-name%3DCiteSeerX&rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A14887477%23id-name%3DS2CID&rft_id=info%3Adoi%2F10.1109%2FTDSC.2010.10&rft.au=H.+Yang&rft.au=E.+Osterweil&rft.au=D.+Massey&rft.au=S.+Lu&rft.au=L.+Zhang&rfr_id=info%3Asid%2Fen.wikipedia.org%3ADomain+Name+System+Security+Extensions" class="Z3988"></span></li></ul> <div class="mw-heading mw-heading2"><h2 id="External_links">External links</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Domain_Name_System_Security_Extensions&action=edit&section=33" title="Edit section: External links"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a rel="nofollow" class="external text" href="https://www.dnssec.net/">DNSSEC</a> – DNSSEC information site: DNSSEC.net</li> <li><a rel="nofollow" class="external text" href="https://web.archive.org/web/20031008105543/http://www.ietf.org/html.charters/dnsext-charter.html">DNSEXT</a> DNS Extensions <a href="/wiki/IETF_Working_Group" class="mw-redirect" title="IETF Working Group">IETF Working Group</a></li> <li><a rel="nofollow" class="external text" href="https://web.archive.org/web/20190429202558/http://dnssec-tools.org/">DNSSEC-Tools Project</a></li></ul> <div class="navbox-styles"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374"><style data-mw-deduplicate="TemplateStyles:r1236075235">.mw-parser-output .navbox{box-sizing:border-box;border:1px solid #a2a9b1;width:100%;clear:both;font-size:88%;text-align:center;padding:1px;margin:1em auto 0}.mw-parser-output .navbox .navbox{margin-top:0}.mw-parser-output .navbox+.navbox,.mw-parser-output .navbox+.navbox-styles+.navbox{margin-top:-1px}.mw-parser-output .navbox-inner,.mw-parser-output .navbox-subgroup{width:100%}.mw-parser-output .navbox-group,.mw-parser-output .navbox-title,.mw-parser-output .navbox-abovebelow{padding:0.25em 1em;line-height:1.5em;text-align:center}.mw-parser-output .navbox-group{white-space:nowrap;text-align:right}.mw-parser-output .navbox,.mw-parser-output .navbox-subgroup{background-color:#fdfdfd}.mw-parser-output .navbox-list{line-height:1.5em;border-color:#fdfdfd}.mw-parser-output .navbox-list-with-group{text-align:left;border-left-width:2px;border-left-style:solid}.mw-parser-output tr+tr>.navbox-abovebelow,.mw-parser-output tr+tr>.navbox-group,.mw-parser-output tr+tr>.navbox-image,.mw-parser-output tr+tr>.navbox-list{border-top:2px solid #fdfdfd}.mw-parser-output .navbox-title{background-color:#ccf}.mw-parser-output .navbox-abovebelow,.mw-parser-output .navbox-group,.mw-parser-output .navbox-subgroup .navbox-title{background-color:#ddf}.mw-parser-output .navbox-subgroup .navbox-group,.mw-parser-output .navbox-subgroup .navbox-abovebelow{background-color:#e6e6ff}.mw-parser-output .navbox-even{background-color:#f7f7f7}.mw-parser-output .navbox-odd{background-color:transparent}.mw-parser-output .navbox .hlist td dl,.mw-parser-output .navbox .hlist td ol,.mw-parser-output .navbox .hlist td ul,.mw-parser-output .navbox td.hlist dl,.mw-parser-output .navbox td.hlist ol,.mw-parser-output .navbox td.hlist ul{padding:0.125em 0}.mw-parser-output .navbox .navbar{display:block;font-size:100%}.mw-parser-output .navbox-title .navbar{float:left;text-align:left;margin-right:0.5em}body.skin--responsive .mw-parser-output .navbox-image img{max-width:none!important}@media print{body.ns-0 .mw-parser-output .navbox{display:none!important}}</style></div><div role="navigation" class="navbox authority-control" aria-label="Navbox" style="padding:3px"><table class="nowraplinks hlist navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Help:Authority_control" title="Help:Authority control">Authority control databases</a>: National <span class="mw-valign-text-top noprint" typeof="mw:File/Frameless"><a href="https://www.wikidata.org/wiki/Q41609#identifiers" title="Edit this at Wikidata"><img alt="Edit this at Wikidata" src="//upload.wikimedia.org/wikipedia/en/thumb/8/8a/OOjs_UI_icon_edit-ltr-progressive.svg/10px-OOjs_UI_icon_edit-ltr-progressive.svg.png" decoding="async" width="10" height="10" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/en/thumb/8/8a/OOjs_UI_icon_edit-ltr-progressive.svg/15px-OOjs_UI_icon_edit-ltr-progressive.svg.png 1.5x, //upload.wikimedia.org/wikipedia/en/thumb/8/8a/OOjs_UI_icon_edit-ltr-progressive.svg/20px-OOjs_UI_icon_edit-ltr-progressive.svg.png 2x" data-file-width="20" data-file-height="20" /></a></span></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"><ul><li><span class="uid"><a rel="nofollow" class="external text" href="https://d-nb.info/gnd/7854957-7">Germany</a></span></li></ul></div></td></tr></tbody></table></div>    </div><noscript><img src="https://login.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://en.wikipedia.org/w/index.php?title=Domain_Name_System_Security_Extensions&oldid=1255347752">https://en.wikipedia.org/w/index.php?title=Domain_Name_System_Security_Extensions&oldid=1255347752</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Help:Category" title="Help:Category">Categories</a>: <ul><li><a href="/wiki/Category:Internet_Standards" title="Category:Internet Standards">Internet Standards</a></li><li><a href="/wiki/Category:Domain_Name_System" title="Category:Domain Name System">Domain Name System</a></li><li><a href="/wiki/Category:Domain_name_system_extensions" title="Category:Domain name system extensions">Domain name system extensions</a></li><li><a href="/wiki/Category:Public-key_cryptography" title="Category:Public-key cryptography">Public-key cryptography</a></li><li><a href="/wiki/Category:Key_management" title="Category:Key management">Key management</a></li><li><a href="/wiki/Category:Domain_Name_System_Security_Extensions" title="Category:Domain Name System Security Extensions">Domain Name System Security Extensions</a></li></ul></div><div id="mw-hidden-catlinks" class="mw-hidden-catlinks mw-hidden-cats-hidden">Hidden categories: <ul><li><a href="/wiki/Category:All_articles_with_bare_URLs_for_citations" title="Category:All articles with bare URLs for citations">All articles with bare URLs for citations</a></li><li><a href="/wiki/Category:Articles_with_bare_URLs_for_citations_from_March_2022" title="Category:Articles with bare URLs for citations from March 2022">Articles with bare URLs for citations from March 2022</a></li><li><a href="/wiki/Category:Articles_with_PDF_format_bare_URLs_for_citations" title="Category:Articles with PDF format bare URLs for citations">Articles with PDF format bare URLs for citations</a></li><li><a href="/wiki/Category:Webarchive_template_wayback_links" title="Category:Webarchive template wayback links">Webarchive template wayback links</a></li><li><a href="/wiki/Category:Articles_with_short_description" title="Category:Articles with short description">Articles with short description</a></li><li><a href="/wiki/Category:Short_description_matches_Wikidata" title="Category:Short description matches Wikidata">Short description matches Wikidata</a></li><li><a href="/wiki/Category:All_articles_with_unsourced_statements" title="Category:All articles with unsourced statements">All articles with unsourced statements</a></li><li><a href="/wiki/Category:Articles_with_unsourced_statements_from_February_2013" title="Category:Articles with unsourced statements from February 2013">Articles with unsourced statements from February 2013</a></li><li><a href="/wiki/Category:Articles_containing_potentially_dated_statements_from_January_2010" title="Category:Articles containing potentially dated statements from January 2010">Articles containing potentially dated statements from January 2010</a></li><li><a href="/wiki/Category:All_articles_containing_potentially_dated_statements" title="Category:All articles containing potentially dated statements">All articles containing potentially dated statements</a></li><li><a href="/wiki/Category:Articles_containing_potentially_dated_statements_from_July_2010" title="Category:Articles containing potentially dated statements from July 2010">Articles containing potentially dated statements from July 2010</a></li><li><a href="/wiki/Category:Articles_containing_potentially_dated_statements_from_November_2011" title="Category:Articles containing potentially dated statements from November 2011">Articles containing potentially dated statements from November 2011</a></li><li><a href="/wiki/Category:Wikipedia_articles_in_need_of_updating_from_November_2015" title="Category:Wikipedia articles in need of updating from November 2015">Wikipedia articles in need of updating from November 2015</a></li><li><a href="/wiki/Category:All_Wikipedia_articles_in_need_of_updating" title="Category:All Wikipedia articles in need of updating">All Wikipedia articles in need of updating</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 4 November 2024, at 13:38<span class="anonymous-show"> (UTC)</span>.</li> <li id="footer-info-copyright">Text is available under the <a href="/wiki/Wikipedia:Text_of_the_Creative_Commons_Attribution-ShareAlike_4.0_International_License" title="Wikipedia:Text of the Creative Commons Attribution-ShareAlike 4.0 International License">Creative Commons Attribution-ShareAlike 4.0 License</a>; additional terms may apply. By using this site, you agree to the <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use" class="extiw" title="foundation:Special:MyLanguage/Policy:Terms of Use">Terms of Use</a> and <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy" class="extiw" title="foundation:Special:MyLanguage/Policy:Privacy policy">Privacy Policy</a>. Wikipedia® is a registered trademark of the <a rel="nofollow" class="external text" href="https://wikimediafoundation.org/">Wikimedia Foundation, Inc.</a>, a non-profit organization.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Wikipedia:About">About Wikipedia</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Wikipedia:General_disclaimer">Disclaimers</a></li> <li id="footer-places-contact"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Universal_Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/en.wikipedia.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//en.m.wikipedia.org/w/index.php?title=Domain_Name_System_Security_Extensions&mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://wikimediafoundation.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/static/images/footer/wikimedia-button.svg" width="84" height="29" alt="Wikimedia Foundation" loading="lazy"></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/w/resources/assets/poweredby_mediawiki.svg" alt="Powered by MediaWiki" width="88" height="31" loading="lazy"></a></li> </ul> </footer> </div> </div> </div> <div class="vector-settings" id="p-dock-bottom"> <ul></ul> </div><script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-f69cdc8f6-vbjf2","wgBackendResponseTime":192,"wgPageParseReport":{"limitreport":{"cputime":"1.182","walltime":"1.314","ppvisitednodes":{"value":14363,"limit":1000000},"postexpandincludesize":{"value":158068,"limit":2097152},"templateargumentsize":{"value":10554,"limit":2097152},"expansiondepth":{"value":23,"limit":100},"expensivefunctioncount":{"value":8,"limit":500},"unstrip-depth":{"value":1,"limit":20},"unstrip-size":{"value":323385,"limit":5000000},"entityaccesscount":{"value":1,"limit":400},"timingprofile":["100.00% 1178.277 1 -total"," 38.65% 455.437 1 Template:Reflist"," 18.47% 217.678 10 Template:Cite_IETF"," 17.89% 210.738 59 Template:IETF_RFC"," 16.94% 199.569 59 Template:Catalog_lookup_link"," 11.47% 135.187 32 Template:Cite_web"," 8.96% 105.598 1 Template:Security_protocol"," 8.67% 102.181 1 Template:Sidebar"," 6.62% 77.983 10 Template:Main_other"," 6.47% 76.263 1 Template:Short_description"]},"scribunto":{"limitreport-timeusage":{"value":"0.651","limit":"10.000"},"limitreport-memusage":{"value":7341494,"limit":52428800}},"cachereport":{"origin":"mw-web.codfw.main-f69cdc8f6-n2fsv","timestamp":"20241122140819","ttl":2592000,"transientcontent":false}}});});</script> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"Article","name":"Domain Name System Security Extensions","url":"https:\/\/en.wikipedia.org\/wiki\/Domain_Name_System_Security_Extensions","sameAs":"http:\/\/www.wikidata.org\/entity\/Q41609","mainEntity":"http:\/\/www.wikidata.org\/entity\/Q41609","author":{"@type":"Organization","name":"Contributors to Wikimedia projects"},"publisher":{"@type":"Organization","name":"Wikimedia Foundation, Inc.","logo":{"@type":"ImageObject","url":"https:\/\/www.wikimedia.org\/static\/images\/wmf-hor-googpub.png"}},"datePublished":"2003-10-09T09:30:13Z","dateModified":"2024-11-04T13:38:54Z","headline":"suite of IETF specifications for securing certain kinds of information provided by DNS"}</script> </body> </html>