DNSSEC TIMELINE

Verisign has been involved in DNSSEC development since 2000, and our engineers played a leading role in the development of the NSEC3 protocol. We continue to collaborate with the internet technical community as DNSSEC testing, implementation and adoption move forward.


1990 A major flaw in DNS is discovered and dialogue about securing DNS begins.
1995 DNSSEC becomes a formal topic within the IETF.
1999 The DNSSEC protocol (RFC2535) is finished and BIND9 is developed as the first DNSSEC capable implementation.
2001 Key handling creates operational problems that make DNSSEC deployment impossible for large networks. The IETF decides to rewrite the protocol.
2005 DNSSEC standards are rewritten in several RFCs 4033, 4034, 4035. In October, Sweden (.se) enables DNSSEC in their zone.
2007 In July ccTLD .pr (Puerto Rico) enables DNSSEC, followed by .br (Brazil) in September and .bg (Bulgaria) in October.
2008 The NSEC3 standard (RFC 5155) is published. In September ccTLD .cz (Czech Republic) enables DNSSEC.
2009 Verisign and EDUCAUSE host a DNSSEC test bed for selected .edu registrants. Root zone signed for internal use by Verisign and ICANN. ICANN and Verisign exercise signing the ZSK with the KSK.
2010 The first root server begins serving the signed root, utilising the DURZ (deliberately unvalidatable root zone) methodology. All root servers serving the signed root, using the DURZ methodology. ICANN holds first KSK ceremony event in Culpeper, VA, USA. ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys - the signed root zone is available. Verisign and EUDCAUSE enable DNSSEC for the .edu domain. Verisign enables DNSSEC for the .net domain.
2011 In February, DNSSEC enabled .gov registry is transitioned to Verisign. In March, .com is signed and the Verisign Managed DNS service is enhanced with full support for DNSSEC compliance. 59 TLDs are signed with trust anchors in the root zone.
2012 In January, Comcast announced that its customers are using DNSSEC-validating resolvers. From March, the number of TLDs signed grew to 90.

NEED MORE INFO?