The measured data reveals the following key findings: the total for signed domains (.ru + .рф + .su) has a pass-rate/value of 4.1%; the pass-rate/value for .gov.ru (government) is 83%; the pass-rate/value for .ru commercial domains is 3.2%; the pass-rate/value for valid DS records in TLD is 96%; and the pass-rate/value for key rollover in the last 12 months is 31%. Full tables are provided below on this page.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Free online tool — DNS lookup tool: instant results, no signup.
| Metric | Pass-rate / Value | Median | p75 |
|---|---|---|---|
| Signed (.ru + .рф + .su total) | 4.1% | — | — |
| .gov.ru (government) | 83% | — | — |
| .ru commercial | 3.2% | — | — |
| Valid DS record in TLD | 96% | — | — |
| Key rollover in the last 12 months | 31% | — | — |
| Uses ECDSA (Algorithm 13) | 62% | — | — |
| Platform | Share | Pass / Detail | avg LCP |
|---|---|---|---|
| REG.RU | 28% market | DNSSEC: 2% (paid add-on) | — |
| Timeweb | 12% | DNSSEC: 8% | — |
| Beget | 7% | DNSSEC: 0% (unsupported) | — |
| Yandex Cloud DNS | 5% | DNSSEC: 91% | — |
| Cloudflare DNS (for .ru) | 4% | DNSSEC: 58% | — |
| Other | 44% | DNSSEC: 2.8% | — |
DNSKEY, DS and RRSIG queries via dig and delv across 2.6M domains (sample from Coordination Centre .ru/.рф/.su zone files). RRSIG validation via unbound with the .ru trust anchor. Key rollover detected by comparing DNSKEY RR-set to a snapshot from 12 months ago. Algorithm determined from DNSKEY Algorithm field.
Despite its potential for enhancing domain security, DNSSEC adoption in the Runet remains low, with only 4.1% of domains signed. Key barriers include insufficient awareness, technical complexity, and limited support from registrars. To implement DNSSEC, administrators can use commands like dnssec-signzone to sign zones, but lack of resources and training continues to hinder widespread adoption.
DNSSEC, or Domain Name System Security Extensions, is a suite of specifications designed to protect the integrity and authenticity of DNS data. By enabling DNSSEC, domain owners can prevent various types of attacks, including cache poisoning and man-in-the-middle attacks. The primary mechanism behind DNSSEC is the use of digital signatures to verify DNS responses, ensuring that users connect to the legitimate site rather than a malicious one.
The protocol employs a hierarchical key structure that mirrors the DNS hierarchy itself, with each zone signing its child zones. This creates a chain of trust, with the root zone at the top. In practice, when a DNS resolver queries a domain, it can validate the response against the public key provided by the parent zone, confirming the response's authenticity.
In regions like the EU, where adoption rates are notably higher, DNSSEC is often viewed as a standard practice for organizations focused on cybersecurity. In contrast, Runet's adoption remains limited due to several challenges. For instance, many organizations still rely on traditional DNS without fully grasping the risks associated with not implementing DNSSEC. This lack of awareness is further complicated by the technical complexities involved in setting up and managing DNSSEC, with only a small percentage of platforms offering support for it.
Furthermore, the absence of robust incentives from ISPs and registrars to adopt DNSSEC has left many domains vulnerable. In the EU, registrars often provide DNSSEC signing as a standard feature, simplifying the process for domain owners. Conversely, in Runet, this is not yet commonplace.
Several key barriers contribute to the low adoption rate of DNSSEC in Runet as of 2026. Understanding these obstacles is crucial for practitioners aiming to enhance their domain security protocols.
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com generates a key for signing the zone. However, the intricacies of key management and rotation often deter smaller organizations.To illustrate, consider an organization that wishes to implement DNSSEC for its domain. They would first need to create a signed zone file using dnssec-signzone, and then publish the DNSKEY record in their parent zone. Without registrar support or technical guidance, this process can become overwhelming, leading many to forgo DNSSEC altogether.
In conclusion, while DNSSEC offers essential security enhancements, the current landscape in Runet presents significant challenges. Addressing these barriers requires a concerted effort from industry stakeholders, educational initiatives, and regulatory frameworks to promote best practices in domain security.
DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.
Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.
Direct queries to authoritative servers. Results in milliseconds, no caching.
SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.
Save check results. Compare DNS records before and after registrar changes.
DNS check after deploy
SPF/DKIM/DMARC audit
DNS config audit
DNS zone control
v=spf1 TXT record.DNS check history, API keys and DNS change monitoring.
Sign up freeThree factors: (1) registrars (REG.RU, Timeweb) charge 500-2000₽/year for DNSSEC instead of offering it free; (2) FSB requires GOST R 34.10-2012, and most DNSKEY clients do not validate it — incompatible; (3) mass Bitrix hosting has no UI for DS updates.
The Czech registry CZ.NIC has been offering DNSSEC free and automatic since 2010. It is enabled by default at domain registration.
<a href="/en/dns">Enterno DNS Checker</a> shows DNSKEY/DS/RRSIG and validation status. Or at the terminal: <code>dig +dnssec +trace example.ru</code>.
The domain becomes unresolvable for validating resolvers (1.1.1.1, 9.9.9.9) — clients get SERVFAIL. That is 25-40% of traffic for large sites. Fixed by committing the new DS to the TLD via your registrar.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.