Deploy360 17 July 2014

Congrats to Spain (.ES) and Croatia (.HR) on on their DNSSEC-signed TLDs in the DNS Root

By Dan YorkDirector, Internet Technology

Croatia and SpainCongratulations to the teams at the top-level domains (TLDs) of both .ES (Spain) and .HR (Croatia) for getting their DNSSEC-signed TLDs in the root of DNS!  Looking at Rick Lamb’s DNSSEC Deployment Report today I can see that as of yesterday both TLDs had a DS record in the root zone of DNS.

Both will now appear with the “DS In Root” status in our DNSSEC deployment maps that get generated every Monday (and to which all are welcome to subscribe).

What this means is that the TLDs have been signed with DNSSEC and as of yesterday can now participate in the “global chain of trust”. DNSSEC-signed second-level domains under .ES and .HR will now be able to have their signatures validated and confirmed from the root of DNS all the way down to their domains.

Now… I should say that this is technically possible at this point in time.  The DS records for .ES and .HR are now in the root zone.  Second-level domains could be validated from the root all the way down.

However, we can’t tell from external observations whether someone with a .ES domain can provide their DS record up to the .ES TLD – and the same for .HR.  We can’t tell if those registries are allowing DNSSEC signatures from second-level domains.  So it might or might not be possible today… but there is no longer a technical roadblock in the DNS system – it is now up to the TLD registries to allow registrars to submit DNSSEC records for domain registrants.  (And once we can confirm that they are allowing DS records from second-level domains we’ll set their status to “Operational” in the DNSSEC deployment maps.)

Congratulations again to both teams – and if you have registered a .ES or .HR domain, you can now start asking your registrar to find out when you will be able to get the increased security of DNSSEC and try new services like the DANE protocol!

Want to get started with DNSSEC and DANE? Check out our “Start Here” page to find resources tailored to your type of organization – or please let us know if you need additional material.

P.S. In entering the information about .HR for Croatia into our DNSSEC Deployment Map database, I discovered that the status had been previously incorrectly set to “Operational” based on some earlier information that had not been updated.  Croatia has been showing up in that state since the end of March 2014.  We regret that error and now will correctly be showing Croatia as “DS in Root” on the maps that get generated on Monday, July 21, 2014.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...