Halting the rollout of DNSSEC support for additional top-level domains

We just received the attached technical note from Verisign regarding our planned roll-out of DNSSEC support to more top-level domains.

They observe that our assumption that nic.tld is owned by the TLD registry only applies to new top-level domains - not to older ones established before 2000, and not to ccTLDs. As a result, this could allow an unintended party to gain control of a TLD.

We’re halting plans to roll out the new root while we consider the best way to remedy this.

verisign-ens-root-change-issues-2019-04-12.pdf (181.3 KB)


Curious as to the rationale behind using nic.tld rather than just tld for holding the TXT record.

ICANN forbids registrars to set TXT records on TLDs.

We do have an alternative, however - we could provide registrars with a means to submit a signed message (such as said TXT record) without hosting it on DNS.

I’ve just been made aware of this:


Hm, I think that suffers from the same approach as our current solution. Eg, just like we can’t assume ‘nic.tld’ is reserved by the TLD owner, we can’t assume ‘_ens.tld’ is either.