tldlist.us

tldlist.us/TLDs with DNSSEC

.dnssec

TLDs with DNSSEC — which extensions are cryptographically signed

Root-signed extensions and what DNSSEC protects · Updated

In one sentence

Most modern TLDs are DNSSEC-signed — including .com, .net, .org, the majority of new gTLDs and a large share of country codes. DNSSEC cryptographically signs DNS records so resolvers can verify they were not tampered with, protecting against spoofing and cache-poisoning. The internet root has been signed since 2010, and IANA publishes its trust anchor. A signed TLD is necessary, but your own domain must also be configured for end-to-end protection.

How DNSSEC works at the TLD level

DNSSEC builds a chain of trust that runs from the DNS root, down through the TLD, to your individual domain. The root zone was signed in 2010; each signed TLD publishes a DS (Delegation Signer) record in the root that links to its own signing keys; and each DNSSEC-enabled domain publishes a DS record at its TLD. When all three links exist, a validating resolver can mathematically prove that a DNS answer is authentic and unmodified. A TLD is described as "signed" when it participates in this chain — and today the overwhelming majority of extensions do. The authoritative reference for what the root delegates is the IANA root zone database.

DNSSEC support by TLD group

Signing status by category. Most extensions are signed; check the IANA entry for any specific TLD.

TLD groupExamplesDNSSEC status
The root zone. (root)Signed since 2010; IANA publishes the trust anchor
Original generics.com · .net · .orgSigned
New gTLDs.app · .dev · .xyz · .shopSigning mandated for new gTLDs — virtually all signed
Major country codes.de · .uk · .nl · .se · .brMostly signed (most large ccTLDs)
Tech ccTLDs.io · .co · .me · .aiMost signed; verify the specific extension
Smaller / legacy ccTLDs(varies by country)Mixed — some not yet signed; check IANA

Signing status can change as registries enable DNSSEC; the authoritative check is the DS record in the IANA root zone database entry. New gTLD contracts mandate DNSSEC, so coverage there is near-universal.

How to check and enable DNSSEC

To check whether an extension is signed, look up its entry in the IANA root zone database and confirm it has DNSSEC delegation, or use a DNSSEC debugger. To protect your own domain, the TLD being signed is only step one — you must also enable DNSSEC at your DNS host (which generates signing keys) and publish the matching DS record through your registrar so the chain of trust reaches your domain. Many registrars and managed-DNS providers now do this with a single toggle. Without that final step, a signed TLD gives your specific domain no protection.

In short. Nearly all major TLDs are DNSSEC-signed, and the root has been signed since 2010. Signing the TLD enables the chain; you still must enable DNSSEC on your own domain (host keys + registrar DS record) for end-to-end integrity. It is a security feature, not an SEO one.

Frequently asked questions

What is DNSSEC?
DNS Security Extensions add cryptographic signatures to DNS records so a resolver can verify an answer is authentic and untampered, protecting against cache-poisoning and spoofing. It builds a chain of trust from the root through the TLD to your domain.
Which TLDs support DNSSEC?
The vast majority — .com, .net, .org, most new gTLDs (signing is mandated) and most large country codes. The root has been signed since 2010. Confirm a specific extension via its DS record in the IANA root zone database.
Is .com DNSSEC-signed?
Yes — .com, .net and .org are all signed at the registry level, so you can enable DNSSEC on a domain under them via a DS record through your registrar. Signing the TLD is necessary but not sufficient; your domain must also be configured.
Does enabling DNSSEC affect SEO?
Not directly. DNSSEC is a security measure, not a ranking signal — Google does not rank a signed domain higher. The benefit is integrity and protection from DNS spoofing. Enable it for security, not SEO. See HTTPS-only TLDs.