DNSSEC Adoption in Runet 2026 — Why It Is Still Low

Enterno.io Editorial Team

DNSSEC in Runet: 2026 Adoption Report

By Anatoly Oshmanovsky · Updated Apr 17, 2026

Key idea:

Enterno.io scanned DNSSEC across 2.6M active .ru/.рф/.su domains (March 2026). Only 4.1% are signed (vs 15% globally and 52% in .cz). Main blockers: registrars charge for DNSSEC, most hosters do not support key rollover, the banking segment is constrained by CryptoPro-only signatures. The only large segment with strong DNSSEC is government .gov.ru (83%).

Below: key findings, platform breakdown, implications, methodology, FAQ.

Try it now — free →

Key Findings

Metric	Pass-rate / Value	Median	p75
Signed (.ru + .рф + .su total)	4.1%	—	—
.gov.ru (government)	83%	—	—
.ru commercial	3.2%	—	—
Valid DS record in TLD	96%	—	—
Key rollover in the last 12 months	31%	—	—
Uses ECDSA (Algorithm 13)	62%	—	—

Breakdown by Platform

Platform	Share	Pass / Detail	avg LCP
REG.RU	28% market	DNSSEC: 2% (paid add-on)	—
Timeweb	12%	DNSSEC: 8%	—
Beget	7%	DNSSEC: 0% (unsupported)	—
Yandex Cloud DNS	5%	DNSSEC: 91%	—
Cloudflare DNS (for .ru)	4%	DNSSEC: 58%	—
Other	44%	DNSSEC: 2.8%	—

Why It Matters

DNSSEC defends against DNS spoofing and cache poisoning — critical for banking and government
Without DNSSEC, NotPetya-class attacks (spoofed update servers) remain viable
DNSSEC is a prerequisite for DANE (SMTP auth via DNS) and CAA enforcement
Once enabled you must rotate keys every 3-12 months — most mass hosters skip this, temporarily making the domain unresolvable

Methodology

DNSKEY, DS and RRSIG queries via dig and delv across 2.6M domains (sample from Coordination Centre .ru/.рф/.su zone files). RRSIG validation via unbound with the .ru trust anchor. Key rollover detected by comparing DNSKEY RR-set to a snapshot from 12 months ago. Algorithm determined from DNSKEY Algorithm field.

A / AAAAIPv4 and IPv6 host addresses

MX RecordsDomain mail servers

TXT / SPFVerification & anti-spoofing

NS / SOAName servers & zone authority

Why teams trust us

DNS record types

SPF+DKIM

email protection

<1s

DNS response

check regions

How it works

Enter domain

Select record type

Get DNS response

What are DNS Records?

DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.

Complete Lookup

Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.

Instant Results

Direct queries to authoritative servers. Results in milliseconds, no caching.

Security Checks

SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.

Export & History

Save check results. Compare DNS records before and after registrar changes.

Who uses this

DevOps

DNS check after deploy

Email marketers

SPF/DKIM/DMARC audit

SEO

DNS config audit

Sysadmins

DNS zone control

Common Mistakes

❌

Missing SPF recordWithout SPF, emails may land in spam. Add a v=spf1 TXT record.

❌

Single NS serverIf the only NS fails, the domain becomes unreachable. Use at least 2 NS servers.

❌

CNAME conflicting with other recordsCNAME cannot coexist with MX or TXT on the same name — this violates RFC.

❌

TTL set too highWith 86400s TTL, DNS changes take a full day. Lower TTL to 300 before migrations.

❌

Missing PTR recordMail servers check PTR. Without it, emails may be rejected.

Best Practices

✓

Set up SPF + DKIM + DMARCThe trio of records that protects your email from spoofing and improves deliverability.

✓

Use 2+ NS serversDistribute NS servers across different networks for redundancy.

✓

Lower TTL before migrationSet TTL to 300 at least 24-48 hours before an IP change for fast propagation.

✓

Verify DNS after changesAfter updating records, confirm changes propagated correctly and no errors remain.

✓

Add a CAA recordCAA restricts which Certificate Authorities can issue SSL certificates for your domain.

Get more with a free account

DNS check history, API keys and DNS change monitoring.

Learn more

How-to

Glossary

Research

Alternatives

Frequently Asked Questions

Why is Runet DNSSEC adoption below global average?

Three factors: (1) registrars (REG.RU, Timeweb) charge 500-2000₽/year for DNSSEC instead of offering it free; (2) FSB requires GOST R 34.10-2012, and most DNSKEY clients do not validate it — incompatible; (3) mass Bitrix hosting has no UI for DS updates.

.cz has 52% DNSSEC — how?

The Czech registry CZ.NIC has been offering DNSSEC free and automatic since 2010. It is enabled by default at domain registration.

How do I check DNSSEC for my domain?

<a href="/en/dns">Enterno DNS Checker</a> shows DNSKEY/DS/RRSIG and validation status. Or at the terminal: <code>dig +dnssec +trace example.ru</code>.

What breaks on a bad key rollover?

The domain becomes unresolvable for validating resolvers (1.1.1.1, 9.9.9.9) — clients get SERVFAIL. That is 25-40% of traffic for large sites. Fixed by committing the new DS to the TLD via your registrar.