Towards an Industry Best Practice for DNSSEC Automation

Despite two decades of availability, DNSSEC remains under‑utilized, with only 36 % of resolvers performing validation and a modest 7 % of domains carrying a secure delegation in 2025. The primary barrier is operational complexity: multi‑step enrollment, disparate registrar interfaces, and fragile key‑rollover procedures deter even security‑conscious owners. This friction not only limits the protective benefits against DNS spoofing and BGP hijacking but also reinforces a perception that DNSSEC is a high‑risk add‑on rather than a baseline security layer.

Automation directly addresses those pain points by letting the child zone publish authenticated CDS or CDNSKEY records that the parent registry can translate into DS records without human intervention. The “old signs new” principle guarantees continuity, while nudging mechanisms let the child prompt the parent, eliminating costly parent‑side scans. European ccTLDs such as .ch, .cz, and .se have already deployed this model, demonstrating reliable rollovers and near‑zero outage rates. Their experience proves that a fully automated chain of trust can be both secure and operationally simple.

The next hurdle is extending this proven workflow to the gTLD ecosystem, which houses the majority of the Internet’s traffic. ICANN’s approval is essential, and the DNSOP working group’s forthcoming RFC codifies safety checks, short‑TTL rollbacks, transparent notifications, and lock handling to mitigate deployment risk. By standardizing these safeguards, the guidelines aim to convince registries and registrars that automated DS updates will not jeopardize service continuity. Widespread gTLD adoption could push DNSSEC deployment into double‑digit percentages, raising the overall resilience of the global DNS infrastructure.