DNSSEC is most effective when universally implemented—starting at the root zone and top-level domains (TLDs) and moving down to individual domain names. Registries, registrars, registrants, hosting companies, software developers, hardware vendors, government, businesses and agencies with an internet presence and internet technologists and coalitions all have responsibility for the success of this massive effort.


Domain Name System Security Extension (DNSSEC) presents new opportunities and new challenges for registrars. Verisign is committed to working with our registrar affiliates to make DNSSEC as simple and valuable as possible.

By proactively adding this important layer, you can:

  • Help protect registrants’ brand and customers
  • Maintain registrants’ trust and loyalty
  • Attract and retain security- and reputation-focused registrants
  • Create new service offerings, such as zone signing for registrants
  • Open the door to using the DNS for new types of secure data transactions (e.g. publishing other types of public keys and authenticating e-mail origin)
  • Protect your core business by enhancing trust in the Internet
  • Exert leadership and influence to shape the future of DNSSEC

Domain Name System Security Extension (DNSSEC) provides additional online protection for your customers and your brand. Verisign is committed to working with members of the internet community to ensure that DNSSEC is broadly successful.


By implementing DNSSEC, you can:

  • Help protect your brand and customers
  • Mitigate risk
  • Maintain customers’ trust and loyalty
  • Attract and retain security-focused customers
  • Protect your core business by enhancing trust in the Internet
  • Build your reputation as an organisation that is at the forefront of internet security and cares about protecting customers


By implementing DNSSEC, you can better protect your customers, reinforce your reputation for leadership in customer protection and Internet security, and differentiate yourself from competitors. You may also be able to influence the development of products and services - and other industry initiatives - that support and benefit your business.

By proactively adding this important layer, you can:

  • Help mitigate the risk of your customers becoming victims of cyber crime
  • Help protect and build your brand and reputation
  • Maintain your customers' trust and loyalty
  • Offer a more secure Internet experience as part of your value proposition to customers
  • Attract and retain security-focused customers
  • Protect your core business by enhancing trust in the Internet
  • Exert your leadership and influence to shape the future of DNSSEC


Registrars need to sign the domain names for their customers (registrants). Enabling DNSSEC for a registrant involves creating private/public key pairs for the domain name, creating and signing the zone and managing the key pairs. These processes ensure that DNSSEC-enabled resolvers within the internet ecosystem can verify the authenticity of responses received from the zone. Registrars also need to modify the interface to their customers to accept DNSSEC key data. In addition, they need to modify their Extensible Provisioning Protocol (EPP) interface to pass DNSSEC key data to the registries with which they interact.

Verisign is committed to driving down the DNSSEC implementation costs for registrars and helping our registrar affiliates determine their DNSSEC deployment strategies. Verisign provides a number of tools, training, services and support to help registrars with their key management processes and with deployment of DNSSEC in their DNS servers.

This support includes:

  • An Operational Test Environment for .net / .com, which enables registrars to ensure their DNSSEC implementation operates properly.
  • DNSSEC tutorials provided by the Technical Boot Camp.
  • A software developer kit (SDK) and EPP Tool. Access the EPP SDK.
  • The DNSSEC Technical Forum.
  • A DNSSEC Tool Guide, which provides an overview of DNSSEC-related open source tools and automation suites available in the industry.
  • A downloadable command-line-based tool that enables registrars to take advantage of some common open-source tools to simplify DNSSEC and DNS zone management.
  • White papers on how registrar transfers will occur in a DNSSEC-enabled environment (via the DNSSEC Technical Forum).

Verisign has invested in DNSSEC to fortify the Internet infrastructure. Registrars and/or service providers may choose to develop services to enable DNSSEC for their customers. The market will determine the model.

To help propagate DNSSEC throughout the internet ecosystem, ISPs need to enable DNSSEC on their recursive name servers and ensure the compatibility of their network infrastructure (e.g. firewalls, routers, switches and load balancers) with the larger DNS responses that DNSSEC generates.

Most commercially available recursive name servers already support DNSSEC and require only an update or parameter change. However, registrars may have to upgrade or replace legacy name servers and existing networking devices.

DNSSEC is based on a hierarchy of trust. Entities at higher levels of the hierarchy vouch for entities below them. This means that the entity that provides a website operator's domain name (usually a registrar, ISP or DNS hosting service) must implement DNSSEC before the website operator can enable it.

To enable DNSSEC for their website, website operators must digitally sign their domain name information. In most cases, they can simply opt-in to this process when they register their domain name. If they have already registered their domain name and choose to implement DNSSEC for their zone, their DNSSEC-enabled registrar would probably have a process for modifying zone records after registration.

Some organisations may need to administer parts of the DNSSEC process internally for security or compliance reasons. In this case, enabling DNSSEC is more complex.