Skip to content

DNSSEC in Runet: 2026 Adoption Report

Key idea:

The measured data reveals the following key findings: the total for signed domains (.ru + .рф + .su) has a pass-rate/value of 4.1%; the pass-rate/value for .gov.ru (government) is 83%; the pass-rate/value for .ru commercial domains is 3.2%; the pass-rate/value for valid DS records in TLD is 96%; and the pass-rate/value for key rollover in the last 12 months is 31%. Full tables are provided below on this page.

Below: key findings, platform breakdown, implications, methodology, FAQ.

Check your domain's DNS →

Key Findings

MetricPass-rate / ValueMedianp75
Signed (.ru + .рф + .su total)4.1%
.gov.ru (government)83%
.ru commercial3.2%
Valid DS record in TLD96%
Key rollover in the last 12 months31%
Uses ECDSA (Algorithm 13)62%

Breakdown by Platform

PlatformSharePass / Detailavg LCP
REG.RU28% marketDNSSEC: 2% (paid add-on)
Timeweb12%DNSSEC: 8%
Beget7%DNSSEC: 0% (unsupported)
Yandex Cloud DNS5%DNSSEC: 91%
Cloudflare DNS (for .ru)4%DNSSEC: 58%
Other44%DNSSEC: 2.8%

Why It Matters

  • DNSSEC defends against DNS spoofing and cache poisoning — critical for banking and government
  • Without DNSSEC, NotPetya-class attacks (spoofed update servers) remain viable
  • DNSSEC is a prerequisite for DANE (SMTP auth via DNS) and CAA enforcement
  • Once enabled you must rotate keys every 3-12 months — most mass hosters skip this, temporarily making the domain unresolvable

Methodology

DNSKEY, DS and RRSIG queries via dig and delv across 2.6M domains (sample from Coordination Centre .ru/.рф/.su zone files). RRSIG validation via unbound with the .ru trust anchor. Key rollover detected by comparing DNSKEY RR-set to a snapshot from 12 months ago. Algorithm determined from DNSKEY Algorithm field.

TL;DR

Despite its potential for enhancing domain security, DNSSEC adoption in the Runet remains low, with only 4.1% of domains signed. Key barriers include insufficient awareness, technical complexity, and limited support from registrars. To implement DNSSEC, administrators can use commands like dnssec-signzone to sign zones, but lack of resources and training continues to hinder widespread adoption.

Understanding DNSSEC and Its Importance

DNSSEC, or Domain Name System Security Extensions, is a suite of specifications designed to protect the integrity and authenticity of DNS data. By enabling DNSSEC, domain owners can prevent various types of attacks, including cache poisoning and man-in-the-middle attacks. The primary mechanism behind DNSSEC is the use of digital signatures to verify DNS responses, ensuring that users connect to the legitimate site rather than a malicious one.

The protocol employs a hierarchical key structure that mirrors the DNS hierarchy itself, with each zone signing its child zones. This creates a chain of trust, with the root zone at the top. In practice, when a DNS resolver queries a domain, it can validate the response against the public key provided by the parent zone, confirming the response's authenticity.

In regions like the EU, where adoption rates are notably higher, DNSSEC is often viewed as a standard practice for organizations focused on cybersecurity. In contrast, Runet's adoption remains limited due to several challenges. For instance, many organizations still rely on traditional DNS without fully grasping the risks associated with not implementing DNSSEC. This lack of awareness is further complicated by the technical complexities involved in setting up and managing DNSSEC, with only a small percentage of platforms offering support for it.

Furthermore, the absence of robust incentives from ISPs and registrars to adopt DNSSEC has left many domains vulnerable. In the EU, registrars often provide DNSSEC signing as a standard feature, simplifying the process for domain owners. Conversely, in Runet, this is not yet commonplace.

Barriers to DNSSEC Adoption in Runet

Several key barriers contribute to the low adoption rate of DNSSEC in Runet as of 2026. Understanding these obstacles is crucial for practitioners aiming to enhance their domain security protocols.

  • Awareness and Education: Many organizations in Runet lack awareness of DNSSEC's benefits. Educational initiatives, such as workshops and webinars, could bridge this gap, but such efforts are currently limited.
  • Technical Complexity: Implementing DNSSEC requires a certain level of technical expertise. Administrators must understand how to generate keys, sign zones, and manage DNS records. For example, the command dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com generates a key for signing the zone. However, the intricacies of key management and rotation often deter smaller organizations.
  • Lack of Registrar Support: While many EU registrars offer integrated DNSSEC services, this is not yet standard practice in Runet. Registrars need to provide user-friendly interfaces for DNSSEC management to encourage adoption.
  • Resource Constraints: Smaller organizations may lack the financial and human resources required for implementing and maintaining DNSSEC. This includes not only the technical implementation but also ongoing management and monitoring.
  • Policy and Regulation: Unlike the EU, where regulations encourage cybersecurity best practices, Runet lacks similar mandates. Government policies promoting DNSSEC adoption could significantly impact its uptake.

To illustrate, consider an organization that wishes to implement DNSSEC for its domain. They would first need to create a signed zone file using dnssec-signzone, and then publish the DNSKEY record in their parent zone. Without registrar support or technical guidance, this process can become overwhelming, leading many to forgo DNSSEC altogether.

In conclusion, while DNSSEC offers essential security enhancements, the current landscape in Runet presents significant challenges. Addressing these barriers requires a concerted effort from industry stakeholders, educational initiatives, and regulatory frameworks to promote best practices in domain security.

A / AAAAIPv4 and IPv6 host addresses
MX RecordsDomain mail servers
TXT / SPFVerification & anti-spoofing
NS / SOAName servers & zone authority

Why teams trust us

12
DNS record types
SPF+DKIM
email protection
<1s
DNS response
3
check regions

How it works

1

Enter domain

2

Select record type

3

Get DNS response

What are DNS Records?

DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.

Complete Lookup

Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.

Instant Results

Direct queries to authoritative servers. Results in milliseconds, no caching.

Security Checks

SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.

Export & History

Save check results. Compare DNS records before and after registrar changes.

Who uses this

DevOps

DNS check after deploy

Email marketers

SPF/DKIM/DMARC audit

SEO

DNS config audit

Sysadmins

DNS zone control

Common Mistakes

Missing SPF recordWithout SPF, emails may land in spam. Add a v=spf1 TXT record.
Single NS serverIf the only NS fails, the domain becomes unreachable. Use at least 2 NS servers.
CNAME conflicting with other recordsCNAME cannot coexist with MX or TXT on the same name — this violates RFC.
TTL set too highWith 86400s TTL, DNS changes take a full day. Lower TTL to 300 before migrations.
Missing PTR recordMail servers check PTR. Without it, emails may be rejected.

Best Practices

Set up SPF + DKIM + DMARCThe trio of records that protects your email from spoofing and improves deliverability.
Use 2+ NS serversDistribute NS servers across different networks for redundancy.
Lower TTL before migrationSet TTL to 300 at least 24-48 hours before an IP change for fast propagation.
Verify DNS after changesAfter updating records, confirm changes propagated correctly and no errors remain.
Add a CAA recordCAA restricts which Certificate Authorities can issue SSL certificates for your domain.

Get more with a free account

DNS check history, API keys and DNS change monitoring.

Sign up free

Learn more

Frequently Asked Questions

Why is Runet DNSSEC adoption below global average?

Three factors: (1) registrars (REG.RU, Timeweb) charge 500-2000₽/year for DNSSEC instead of offering it free; (2) FSB requires GOST R 34.10-2012, and most DNSKEY clients do not validate it — incompatible; (3) mass Bitrix hosting has no UI for DS updates.

.cz has 52% DNSSEC — how?

The Czech registry CZ.NIC has been offering DNSSEC free and automatic since 2010. It is enabled by default at domain registration.

How do I check DNSSEC for my domain?

<a href="/en/dns">Enterno DNS Checker</a> shows DNSKEY/DS/RRSIG and validation status. Or at the terminal: <code>dig +dnssec +trace example.ru</code>.

What breaks on a bad key rollover?

The domain becomes unresolvable for validating resolvers (1.1.1.1, 9.9.9.9) — clients get SERVFAIL. That is 25-40% of traffic for large sites. Fixed by committing the new DS to the TLD via your registrar.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.