The Legend of DNSSEC

We’ve taken to putting up animated maps of DNSSEC adoption in country code TLDs (ccTLDs) every few months (6 March 2012, 4 June 2012).   One question we get is,  “So, what does the legend in the maps we produce indicate?”  From the past through the date of the map, the following are from observation.  For dates beyond the date of the map, the following are either an extension of the observation or based on stated plans.

  • Experimental  (yellow) — We have reason to believe that the ccTLD is (or will be) experimenting with DNSSEC.
  • Announced (orange) — The ccTLD has announced that they will support DNSSEC.
  • Partial (green)  — The ccTLD has signed their zone, but has not yet passed DS records up to the root and may or may not be accepting signed delegations.
  • DS in Root (blue) — The ccTLS is signed  and DS records for its KSKs are (or will be)  in the root zone, but it is not yet accepting signed delegations.
  • Operational (red) — The ccTLD is signed, it has DS records in the root, and it is accepting signed delegations (DS records from child zones).

We can and do identify current Partial and DS in Root statuses programatically.  Everything else needs human input.  Specifically, your input sent to info @

Comments are closed.