The com zone’s DS record was added to the root zone today, marking an important milestone in the deployment of DNSSEC. com is the largest zone on the Internet by most measures, containing over 90 million delegations. This means that the administrators of the corresponding 90 million subzones can sign their zones, and validating recursive name servers will be able to follow a continuous chain of trust from the root zone’s public Key-Signing Key to validate arbitrary data in those zones.
I hope this serves as a catalyst for those administrators still on the fence about DNSSEC: From an infrastructure standpoint, there’s no longer an excuse not to deploy DNSSEC. There’s broad support for DNSSEC in name server implementations (BIND, Unbound, NSD, the Microsoft DNS Server). The chain of trust is in place. The rest is up to you.
