Calls: Send in your ideas. Deadline October 1st, 2022.

Authenticated DNSSEC bootstrapping

Secure in-band announcements of DNSSEC parameters

Turning on DNSSEC for a domain involves (1) signing the domain's DNS zone content and (2) adding the signature public key to the chain of trust. The second step has long posed a problem, as it requires (often manual) transfer of information from the domain's operator to the parent (usually the top-level domain). It is largely due to this "DNSSEC bootstrapping problem" that only about 6% of the Top 1M domains are securely delegated (Tranco, 06/2022).

The project extends commonly used authoritative nameserver software with native support for authenticated DNSSEC bootstrapping (draft-ietf-dnsop-dnssec-bootstrapping). This protocol, a soon-to-be IETF standard, allows DNSSEC parameters to be communicated automatically and securely, enabling DNS operators and parent registries to turn on DNSSEC automatically. To measure the protocol's impact on real-world DNSSEC deployment, measurements of protocol adoption over time will be made available.

Run by deSEC e.V.

Logo NLnet: abstract logo of four people seen from above Logo NGI Assure: letterlogo shaped like a tag

This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. Applications are still open, you can apply today.

Navigate projects

Please check out NLnet's theme funds, such as NGI Assure and NGI Zero Entrust.

Want to help but no money to spend? Help us by protecting open source and its users.

.