German Top Level Domain Now DNSSEC Frontrunner

.de Has the Most DNSSEC-Signed Second Level Domains in the World
(PresseBox) (Frankfurt, ) Since 31 May 2011, the .de zone contains the public key which is suited for validation. Today, the Internet Assigned Numbers Authority (IANA) has published the related DS record in the root zone. Thus, signed .de domains can be validated as of immediately.

Already today more than 200,000 .de domains are signed with DNSSEC - i.e. the data provided by the DNS can now be checked for authenticity. This makes .de the Top Level Domain with the largest number of signed Second Level Domains worldwide.

The background to this is that DENIC offers the possibility to store authoritative data directly in the .de zone. Like the Second Level Domains delegated with own key material, these data have been signed since 31 May 2011 and can now be checked by means of a validating resolver with standard configuration. Part of this configuration is the so-called trust anchor for the root zone ( Configuring a trust anchor for .de in addition to the one used for the root zone still remains unnecessary and is not recommended.

Caching mechanisms in the DNS generally have the effect that new data are not visible immediately everywhere on the Internet. Operators of validating resolvers who want to validate .de domains as soon as possible may want to restart their resolver processes. This will empty the cache and accelerate the process of getting ready for validation.

With validation now available, the DNSSEC testbed infrastructure has fulfilled its purpose. As already announced, it will be continued until end of July 2011.

You will find detailed information about DNSSEC on our website at


Domain Name System Security Extensions (DNSSEC) are extensions of the DNS (Domain Name System) which have the purpose to close security holes in the Internet, such as cache poisoning and DNS spoofing.

DNSSEC provides security by data origin authentication, i.e. by securing the path between the DNS servers and the validating DNS clients, with intermediate resolvers and their caches being included in the security perimeter. The signature which was applied reveals if the data were actually generated by a source entitled to do so. At the same time, securing data integrity protects against DNS data that was manipulated on the way. However, DNSSEC does not warrant the correctness of the initially stored data. Neither will it protect against domain hijacking or manipulations during the registration process.

DNSSEC verifies DNS replies by means of cryptographically secured signatures. These signatures are computed from the DNS data to be protected and are transferred to the client together with the data. Response verification is executed in the client or in the upstream resolver by means of a check against the public keys valid for the respective zone. These keys, in turn, are easily stored in and retrieved from the DNS. This procedure itself is secured by DNSSEC and is thus not subject to the aforementioned security threats; only the key required to start the chain of trust (i.e. the key of the root zone) is permanently stored in the client or its configuration data.

DNSSEC is one component to make operation of the DNS - a crucial aspect of the Internet - more secure by protecting the DNS against data manipulation and spoofing.


Kaiserstraße 75-77
D-60329 Frankfurt
Pressestelle/Public Relations
Social Media