Domain Name System (DNS) is the system for the mapping between easily memorizable host names and their IP addresses. Due to its criticality, the Internet Engineering Task Force (IETF) has defined a DNS Security Extension (DNSSEC) to provide data-origin authentication. In this paper, we point out two drawbacks of the DNSSEC standard in its handling of DNS dynamic updates: 1) the on-line storage of a zone security key, creating a single point of attack for both inside and outside attackers, and 2) the violation of the role separation principle, which in the context of DNSSEC requires the separation of the roles of zone security managers from DNS name server administrators. To address these issues, we propose an alternative secure DNS architecture based on threshold cryptography. Unlike DNSSEC, this architecture adheres to the role separation principle without presenting any single point of attack. To show the feasibility of the proposed architecture, we developed a threshold cryptography toolkit based on the Java Cryptography Architecture (JCA) and built a proof-of-concept prototype with the toolkit. Our running results of the prototype on a representative platform show that the performance of our proposed architecture ranges from one to four times of DNSSEC’s performance. Thus, through small performance overhead, our proposed architecture could achieve very high level of security.