VeriSign is to start rolling out the DNSSEC security protocol in .net today, and will sign .com next March, the company said today.
In an email to the dns-ops mailing list, VeriSign vice president Matt Larson said that .net will get a “deliberately unvalidatable zone”, which uses unusable dummy keys for testing purposes, today.
That test is set to end on December 9, when .net will become fully DNSSEC-compatible.
The .com TLD will get its own unvalidatable zone in March, but registrars will be able to start submitting cryptographic keys for the domains they manage from February.
The .com zone will be validatable later in March.
The DNSSEC standard allows resolvers to confirm that DNS traffic has not been tampered with, reducing the risk of attacks such as cache poisoning.
Signing .com is viewed as the last major registry-level hurdle to jump before adoption kicks off more widely. The root zone was signed in July and a few dozen other TLDs, such as .org, are already signed.