September 29, 2017 to October 3, 2017
Fairmont San Jose
US/Pacific timezone

DNSSEC Operations in the .gov TLD

Sep 29, 2017, 10:10 AM
Regency 2 Ballroom (Fairmont San Jose)

Regency 2 Ballroom

Fairmont San Jose

170 S Market Street, San Jose, 95113, CA, USA
Standard Presentation Public Workshop Public Workshop


Mr Scott Rose (NIST)


We look at the results of multiple years of DNSSEC scanning to see how DNSSEC is being maintained in the .gov TLD. We look at signing algorithm use, hash algorithms use in DS RRsets and parameters used in NSEC3. We also look for trends and changes over time to detect algorithm rollovers and changes to NSEC3 parameters. The goal of this work is to see how DNSSEC is being deployed and administered in .gov delegations and if there are any issues that need to be addressed. We are primarily looking at NSEC/NSEC3 usage and algorithm usage to see how well they conform to best common practices and federal policy.


We scanned the list of .gov delegations for several months to look for algorithm usage, NSEC/NSEC3 usage, and NSEC3 parameters. We also looked at previous years for signing algorithm usage and detect algorithm rollovers. It appears that algorithm usage is fairly stable through the last three years in .gov delegations with only a few zones changing algorithms in any given year. RSA/SHA-256 seems to be the largest deployed algorithm and was the algorithm of choice for most changes. Only a few zones have changed to ECDSA as a signing algorithm, which is recommended by federal guidelines since 2015.

NSEC3 usage is fairly stable in .gov and is the preferred choice for denial of existence proof. The choice of values for salt and iterations seems to also fall within a narrow range of choices. These parameter values rarely change no matter how many times the zone is resigned, which does not follow guidance. Given the (believed) wide use of automated tools and appliances for DNSSEC in .gov zones, these issues could be addressed by changing tools or promoting best common practices.

Talk Duration 15 Minutes

Primary author

Mr Scott Rose (NIST)

Presentation materials