A short history of DNSSEC

[an error occurred while processing this directive]

We have only bits and pieces of information. What we know for certain is that, at some point in the early Twenty-first Century, all of mankind was united in celebration. Through the blinding inebriation of hubris, we marveled at our magnificence as we gave birth to A.I. DNSSEC.

-- Morpheus, the Matrix


On this page a short history of DNSSEC is described. It is presented as a timeline stretching from ancient times (1983) up to the current year. DNS history is briefly touched upon, a full history is described in the first three paragraphs of 1.

As I'm only been involved with DNSSEC since the beginning of 2001 and this history is typed from the top of my head there may be things forgotten or down right wrong. Please don't hesitate to send us a message if something is not right (email addr. can be found at the bottom of the page).

DNS(SEC) History


Paul Mockapetris invents the DNS and implements the first server: Jeeves.


Formal IETF Internet Standard. Two RFC's describe DNS: 1034 and 1035.


DNS begins to catch on the Internet.


Steven Bellovin discovers a major flaw in the DNS 2. As DNS is already widely deployed on the Internet, the report is kept secret until 1995. In those years research is started on a more secure replacement of DNS.


The article from Bellovin is published and DNSSEC (as it became known) becomes a topic within the IETF.


RFC2065, a predecessor of 2535, is published.


RFC2535 is published by the IETF. The DNSSEC protocol looks to be finally finished. BIND9 is developed to be the first DNSSEC capable implementation.


Although the RFC is finished and BIND is DNSSEC ready, deployment is stalling.


Experiments show 3 that the key handling in RFC2535 is causing operational problems that would make deployment difficult if not impossible.

After various ideas and drafts (sig@parent) a new record was proposed: the DS RR, Delegation Signer resource record. With this record the operational problems of DNSSEC would be solved. Because this record has the special property of only existing at the parent zone it introduced some difficulties in the DNS protocol it self. Deployment of DNSSEC looks possible now, but the current code (ie. BIND9) does not understand the new DS record.

It is decided to rewrite 2535 into three new drafts:

  • draft-ietf-dnsext-dnssec-intro - a introduction into DNSSEC
  • draft-ietf-dnsext-dnssec-records - introduces the new records
  • draft-ietf-dnsext-dnssec-protocol - details the protocol changes


The drafts are getting more refined and better, BIND9 snapshots start appearing that are capable of handling the new DNSSEC standard (2535bis).

NLnet Labs deceided to run a new experiment called SECREG (secure registry) to test 2535bis. The results of this experiment are documented in 4. In short the experiment showed that 2535bis is ready for deployment.


The expectation is that the drafts are to be finished this year and that even the RFC could be published before 2005. Currently BIND9.3 and higher NSD2 and higher are capable of handling 2535bis DNSSEC.


The three new drafts are on there way to the RFC editor. This means the new standard is almost official. Now we only have to wait for DNSSECbis to become the new standard.

2005 - March

The RFC's are published:

2005 - October

Sweden (.SE) enables DNSSEC in their zone. This make .SE the first ccTLD to deploy DNSSEC.

At the same time RIPE NCC (ripe.net) is in the process of deploying DNSSEC in the reverse zones.


1 nominum.com/history.php
2 Bellovin. Using the Domain Name System for System Break-Ins, 1995
3 NLnet Labs .nl.nl experiment: C'T Article. "DNSSEC in NL" is the final report about this experiment.
4 DNSSEC in NL: secreg-report.pdf

Wed Sep 25 2013

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.