Bangladesh Telecommunications Company Limited (BTCL), operator of the .BD country-code top-level domain, has completed DNSSEC deployment across five second-level domains: ac.bd (academic), gov.bd (government), com.bd (commercial), net.bd, and org.bd. The work, described in detail by BTCL domain operations lead Joyeeta Sen Rimpee in a post on the APNIC Blog, brought the first verified chain of trust from the DNS root to a .BD leaf domain on 26 August 2025, when kuet.ac.bd — the domain of Khulna University of Engineering & Technology — achieved end-to-end DNSSEC validation.
Prior to August 2025, not a single second-level domain under .BD carried DNSSEC protection, leaving roughly 50,000 registered domains without cryptographic authentication. BTCL had established signing between the root zone and the .BD nameservers during an earlier phase, work attributed to Md. Anwar Parvez, who initiated that portion of the project. However, an economy-wide DNS blackout subsequently disrupted operations and stalled further progress.
The deployment effort resumed in earnest after Sen Rimpee attended the Phoenix Summit in May 2025, where hands-on training led by Philip Paeps of the Network Startup Resource Center provided the operational confidence to proceed at scale. A separate APNIC workshop held in Bangladesh in June 2024, led by APNIC Senior Network Analyst Md. Abdul Awal, had earlier introduced the team to DNSSEC concepts; Awal also served as a remote debugging partner throughout the 2025 rollout.
- Zero .BD SLDs were DNSSEC-signed before August 2025
- First end-to-end validated chain: kuet.ac.bd, 26 August 2025
- Five SLDs now signed: ac.bd, gov.bd, com.bd, net.bd, org.bd
- Approximately three million .BD lookups per day now return authenticated responses
- Signing used Algorithm 13 (ECDSA P-256/SHA-256) on BIND 9.9+ with auto-dnssec maintain and inline signing
The technical stack relied on BIND 9.9+ running auto-dnssec maintain with inline signing — acknowledged as aging infrastructure, but sufficient to complete the rollout. Separate KSK and ZSK pairs, both using ECDSA P-256 with SHA-256 (Algorithm 13), handled zone signing. SHA-1 digest records discovered during deployment were removed in favor of SHA-256-only DS records, in line with current IETF guidance. Validation tooling included DNSViz for chain-of-trust visualization and the Verisign Labs DNSSEC Debugger for per-record signature checks.
Three operational problems surfaced mid-deployment. BTCL's registrant portal had no mechanism to accept DS record submissions, requiring manual intervention by an administrator until the feature was added. DNSViz subsequently revealed a stale DS record referencing a deleted KSK (Algorithm 8, Key Tag 26044), which was cleared via the IANA portal. Firewall rules silently dropping UDP packets caused child-zone validation failures unrelated to the cryptographic configuration; correcting those rules and verifying EDNS0 support resolved the issue.
Government domains under gov.bd were signed next, with quicksign.gov.bd as the first, and challenges in that phase were resolved by September 2025. Commercial domains followed, with primebank.com.bd serving as a landmark validation for com.bd; that phase completed by November 2025.
DNSViz now shows a clean SECURE status across the full .BD hierarchy, and resolvers at global vantage points consistently return the AD (Authenticated Data) flag for signed zones.
For professionals: Registry and ccTLD operators planning similar rollouts should audit registrant-facing portal capabilities — specifically DS record submission workflows and EPP integration — before beginning zone signing, as tooling gaps rather than cryptographic complexity drove the longest delays here. The BTCL experience also underscores that broken DNSSEC chains frequently trace back to stale delegation records or firewall packet filtering rather than key-management errors, making network-layer checks a sensible first diagnostic step.
Planned next steps include migrating to dnssec-policy to replace the legacy auto-dnssec maintain configuration, introducing NSEC3 for zone enumeration resistance, establishing a formal key-rollover schedule, adopting HSM-based key storage, and deploying anycast for authoritative nameservers. Automating DS record submission — a contribution from the REVE Systems team — is described as essential groundwork for scaling DNSSEC enrollment to individual registrants.
Automated pipeline · Domains
Synthesized from 1 industry feed on 13 Jun 2026. First draft failed editor review; a revised version was approved before publication. Style guide v1.1.
Sources
Decision trail
- Checking for duplicates — New story First coverage of Bangladesh .BD ccTLD's DNSSEC implementation case study.
- Writing the article — Draft created article_id=20 slug=how-bangladesh-s-bd-cctld-went-from-zero-dnssec-coverage-to-five-signed-slds-in-2025
-
Editor review — Rejected
- Factual grounding: Material: The article states the effort 'began with a 2024 APNIC training workshop.' The source is more nuanced: the workshop (June 2024) established signing between the root zone and .BD nameservers, but the effort then stalled and was effectively relaunched after the Phoenix Summit in May 2025. Describing the Phoenix Summit as where the effort ended ('ended with validated chains') is also imprecise — the source says Joyeeta Sen Rimpee attended Phoenix Summit and gained confidence, not that the deployment ended there.
- Factual grounding: Material: The article describes the effort as '18-month effort.' The source does not explicitly state an 18-month duration for the deployment phase. The author states 'under eighteen months' but this refers to her personal learning journey ('from knowing nothing to helping deploy DNSSEC... in under eighteen months'), not necessarily the deployment timeline itself. The article repurposes this figure as a project duration, which is a misattribution of the statistic.
- Factual grounding: Material: The standfirst claims 'roughly three million daily DNS lookups that had none before August 2025.' The source states 'approximately three million .BD domain lookups per day are cryptographically authenticated' but does not say these lookups 'had none before August 2025' — it says zero SLDs were signed before August 2025. The article conflates the number of lookups with a pre-August baseline that is not established in the source.
- Factual grounding: Minor: The article says 'Md. Anwar Parvez...had been completed by BTCL engineer Md. Anwar Parvez during an earlier phase.' The source says Parvez 'initiated the DNSSEC journey by establishing signing between the root zone and the .BD servers' but does not specify his title as 'engineer' — the source gives no job title for Parvez.
- Factual grounding: Minor: The article describes the June 2024 workshop as being 'led by' Philip Paeps of NSRC. The source states the June 2024 workshop 'was led by Md. Abdul Awal, Senior Network Analyst and Technical Trainer at APNIC.' Philip Paeps led the Phoenix Summit training, not the 2024 workshop. The article correctly attributes Paeps to the Phoenix Summit, but this conflation risk is close to the text and worth flagging.
- Factual grounding: Material: The article states 'an economy-wide DNS disruption halted progress.' The source says 'An economy-wide DNS blackout disrupted operations.' While close, the article's framing ('left the project dormant') is supported. However, attributing the disruption specifically to what 'halted progress' on DNSSEC specifically — vs. general operations — is a slight overreach. Minor.
- Factual grounding: Minor: The article says 'DS records submitted to parent zones used SHA-256 digests only, with SHA-1 entries explicitly removed to comply with current recommendations.' The source frames this as a fix to a problem discovered mid-deployment, not as a design choice from the start. The article presents it as the technical approach upfront, which slightly misrepresents the sequence.
- Factual grounding: Minor: The article says 'BIND 9.9+ with inline signing.' The source says 'BIND 9.9+, using auto-dnssec maintain with inline signing.' The omission of 'auto-dnssec maintain' is not materially wrong but drops a relevant technical detail.
- Style compliance: Minor: Body word count appears to exceed 620 words (estimated ~650-680 words), approaching but not clearly exceeding the 750-word hard maximum. This is a style violation but not a hard reject on its own.
- Factual grounding: Minor: The source URL is dated 2026-06-08 (blog.apnic.net/2026/06/08/...) but the article body describes events in 2025 without noting the publication date. Not an error in the article itself, but the source link date may raise questions about consistency — not a material issue.
- Writing the article — Rewritten editor-driven rewrite
-
Editor review — Approved
- Factual grounding: Minor: The article states Philip Paeps is from the 'Network Startup Resource Center' — the source says 'NSRC' without spelling it out. NSRC is commonly known as the Network Startup Resource Center, so this is uncontroversial industry common knowledge. Not a material issue.
- Factual grounding: Minor: The article describes Md. Abdul Awal as 'APNIC Senior Network Analyst'. The source says 'Senior Network Analyst and Technical Trainer at APNIC'. Dropping 'Technical Trainer' is a minor omission but not a material error.
- Factual grounding: Minor: The article says the Phoenix Summit was attended 'in May 2025' — confirmed by source. The article says 'A separate APNIC workshop held in Bangladesh in June 2024' — source confirms June 2024. No issue.
- Factual grounding: Minor: The article attributes the 'economy-wide DNS blackout' as disrupting operations and stalling progress. The source confirms this sequence. No issue.
- Factual grounding: Minor: The article says REVE Systems team contributed DS record submission automation, described as 'essential groundwork for scaling.' The source credits 'Masudur Rahman, Zakir Hossain, Alamgir Hossain, and the REVE Systems team' for automating DS record submission. Accurate.
- Factual grounding: Minor: The source does not explicitly state that Md. Anwar Parvez 'initiated that portion of the project' and 'left the team two years ago' — the article omits the 'two years ago' detail but correctly attributes the root-level signing to Parvez. No invented facts.
- Quote integrity: No blockquotes used as attributed verbatim quotes. Key facts and For professionals blocks are original synthesis. No issue.
- No copied phrasing: Minor: The phrase 'auto-dnssec maintain with inline signing' and 'Algorithm 13 (ECDSA P-256 with SHA-256)' are technical terms that must appear as-is
- these are not copyable phrasing violations. However, 'Approximately 50,000 registered domains without cryptographic authentication' closely mirrors the source's 'Approximately 50,000 domains. Millions of passive users… Zero cryptographic protection.' The article restructures this adequately.
- Style compliance: Minor: The REVE Systems acknowledgment in the final body paragraph is slightly close to listing acknowledgement names from the source, but the article correctly attributes the work without copying source phrasing verbatim.
- Style compliance: Minor: Body word count appears to be approximately 680-700 words, within the 701-780 borderline range. Close to the 750-word hard maximum but not clearly over it based on visible text.
- Assigning hero image — Pexels pexels_id=4508751
- Linking related stories — Linked 0 relations from 4 candidates
- Linking related stories — Linked 0 relations from 8 candidates
- Linking related stories — Linked 0 relations from 8 candidates
- Linking related stories — Linked 0 relations from 8 candidates
- Linking related stories — Linked 0 relations from 12 candidates
- Linking related stories — Linked 0 relations from 12 candidates
- Linking related stories — Linked 0 relations from 12 candidates
- Publishing — Published how-bangladesh-s-bd-cctld-went-from-zero-dnssec-coverage-to-five-signed-slds-in-2025
Discussion · coming soon
Be the first to join the thread when community discussion launches.