A couple of days before Christmas, ICANN announced that all of the current 1,195 generic top-level domains (gTLDs), that’s new and legacy, have deployed DNSSEC.
Domain Name System Security Extensions (DNSSEC) allows registrants to digitally sign information they put into the Domain Name System (DNS). This protects consumers by ensuring that DNS data that has been corrupted, either accidentally or maliciously, doesn’t reach them.
A strategy of defense in depth, in which several independent layers of security controls are used so that if one fails another will be operative, can improve security of the overall system. DNSSEC can provide one tier of defense in depth for the Internet. In order to improve the security of the Internet, DNSSEC must be widely deployed across all TLDs. With .AERO signing its zone, 100% of gTLDs are now signed. This news is an important milestone as all now have DNSSEC, enabling its availability to their registrants.
“This is important news because it means that more users everywhere can have increased trust in the responses to DNS lookups” said David Conrad, Senior Vice President and Chief Technology Officer (CTO) at ICANN org. “As DNSSEC deployment grows, the DNS can also become a foundation for other protocols that require a way to store data securely”.
ICANN will continue to encourage those country code top-level domains that have not DNSSEC-signed to their zones to do so, and will encourage operators of DNS resolvers, which check DNSSEC signatures to verify the data has not been modified, to enable DNSSEC validation.
ICANN have more information about on their our dedicated webpage. There’s also an infographic and a DNSSEC Explainer.