Home / Blogs

DNSSEC Deployment Reaching Critical Mass

Ram Mohan

Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point. Thanks to the combined efforts of registries around the world, the new security protocol will soon be available to the majority of domain name registrants in almost a quarter of all TLDs.

As a reminder, DNSSEC — Domain Name System Security Extensions — is a trust upgrade to the decades-old DNS protocol. Using DNSSEC, resolvers are able to ensure that no one or nothing has tampered with DNS messages by validating their cryptographic signatures. The technology goes a long way in protecting Internet users from attacks, like cache poisoning, that have the potential to undermine the trust we all place in electronic commerce.

According to ICANN's latest statistics, more than 20% of the world's TLDs have now implemented DNSSEC in their zones: 69 are signed, and 62 have also published the signatures in the root zone, meaning they are fully DNSSEC-compatible. This rapid uptake has been driven by the concerted efforts of TLD registries. Since the landmark DNSSEC signing of .org in 2010, Afilias has been rolling out the technology to all of the gTLDs and ccTLDs for which we provide registry services as part of our "Project Safeguard." Registrants of .info domains can now use DNSSEC, and we have also announced the signing of the .in, .me, .gi, .mn and .sc zones, among others.

Other ccTLDs have also recently been signed, but two of the largest recent DNSSEC deployments have occurred in .net and .com, which together account for more than half of the world's existing domain name registrations. While the .net implementation is now complete, .com is currently serving DNSSEC information that deliberately cannot be validated. The .com domain will not be fully "switched on" until the end of the month. When this happens, of the seven "original" gTLDs, only .mil and .int will remain unsigned.

DNSSEC availability in .com will also prove to be a landmark in terms of raising awareness among domain name registrants. It's great that so many TLDs are being signed, but this is of little use to Web surfers until second-level registrants also begin to sign their zones. Registrars are already launching services to simplify what is a complex technology to deploy and manage, but these need to be used.

When major corporations that have their primary website at a .com domain begin to publicly deploy the technology, DNSSEC will likely begin to market itself in a viral manner. Much like a newly launched TLD needs well-known brands to adopt its domains, a few big "anchor tenants" will also prove priceless for spreading the word about DNSSEC. When major e-commerce, financial services and social networking sites start to openly embrace the specification, it should become a competitive imperative for others to do the same so that they avoid appearing less secure than their rivals. With a bit of luck, at this time next year, I will be writing about the encouraging level of DNSSEC adoption at the second level of the domain name system, rather than at the top level.

By Ram Mohan, Executive Vice President & CTO, Afilias

Related topics: DNS, DNS Security, ICANN, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Truly a great start for DNSSEC, Ram. Howard Baldwin  –  Mar 23, 2011 8:52 AM PDT

Truly a great start for DNSSEC, Ram. Thanks for the update. For more on the hows and whys of DNSSEC implementation, check out this white paper from Verisign: http://resources.cio.com/ccd/show/200001949/00116440024019CIO0ZL4SM68V3/

About me: http://bit.ly/fQZRHb

DNSSEC resources Ram Mohan  –  Mar 23, 2011 10:43 AM PDT

Howard,

Thank you for the kind words - DNSSEC is a major international undertaking, and it is neat to see it go mainstream after so many years of what felt like pushing on a string.

Several excellent resources exist for more information on DNSSEC:
DNSSEC Information & Tools - http://pir.org/dnssec
DNSSEC Resource Centerr - http://www.afilias.info/dnssec
DNSSEC Deployment Initiative - http://dnssec-deployment.org/
DNSSEC Tools Project - http://dnssec-tools.org/
NamesBeyond DNSSEC - DNSSEC Registrar, http://www.namesbeyond.com/dnssec
DNSSEC Industry Coalition - http://dnsseccoalition.org/website/

For the technically minded, the IETF has published several RFCs on DNSSEC:
RFC 4310: Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
RFC 4033: DNS Security Introduction and Requirements
RFC 4641: DNSSEC Operational Practices

-Ram

Don't forget the resolver side Marco Davids  –  Mar 23, 2011 10:57 AM PDT

Let's not forget the resolver side.

Are you ready to do DNSSEC validation?

http://dnssectest.sidn.nl/

Resolver tools Ram Mohan  –  Mar 23, 2011 1:36 PM PDT

Marco,
You're totally right - the resolver side gets more and more important as DNSSEC hits the mainstream.

Tools like the one above (SIDN) are very useful.

In addition, there are several validating resolvers:
DNS OARC - https://www.dns-oarc.net/oarc/services/odvr
DNSSEC Reply Size Test Tool - https://www.dns-oarc.net/oarc/services/replysizetest

A reasonably comprehensive look at tools is available here:
DNSSEC Validation Tools Matrix - https://www.dnssec-deployment.org/wiki/index.php?title=Validation_tools_matrix&oldid=98

-Ram

Excellent link - thanx!Here is the link Louise Timmons  –  Mar 23, 2011 10:38 PM PDT

Excellent link - thanx!

Here is the link to the FAQ, to show what is involved to enable DNSSEC:

http://dnssectest.sidn.nl/faq.php

Mr. Ram Mohan, I have enjoyed your Louise Timmons  –  Mar 23, 2011 10:35 PM PDT

Mr. Ram Mohan, I have enjoyed your updates and appreciate SOMEONE is paying attention to DNSSEC. You said, "the resolver side gets more and more important as DNSSEC hits the mainstream."

Without the RESOLVER side, there is no DNSSEC.

What would it have cost ICANN to promote DNSSEC with ISPs, hosting companies, browser creators, and modem manufacturers? What would it have cost to launch a campaign to bring awareness? to bring everyone on board? to make the internet safer and more secure? All those contingents have to come on board to make DNSSEC mainstream. It would advance the cause of the internet.

But ICANN didn't launch a campaign, because DNSSEC spread nation-wide would adversely affect the pockets of ICANN "Insiders" who depend on the criminal element for part of their income: Verisign and the major Registrars.

The (sometimes unwelcome) fact is that ICANN Ram Mohan  –  Mar 24, 2011 8:06 AM PDT

The (sometimes unwelcome) fact is that ICANN has very little leeway or sway with ISPs, hosting companies, and in many other areas of the technology spectrum.  ICANN only has contracts with registries and registrars in the gTLD space, and in that limited space, it is advancing DNSSEC.  I have observed (and participated in) all-day workshops on DNSSEC that attracts a solid audience at the ICANN meetings for at least the past 2 years.

The interesting play here is how other parts of the technology and DNS industry integrate DNSSEC into their plans - this is a multi-year process, and it needs many segments to rise to the challenge.  Planning, execution and delivery are important - much of the technology work is complete.

Some other questions are whether a business case can be made for DNSSEC implementation, because selling security by itself is very difficult.

-Ram

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Nominum Announces Future Ready DNS

Last Lap of .WEBSITE, .PRESS and .HOST Sunrise

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New .ORGANIC Domain Sunrise Begins, Creating Verified Space 
for Organic Products and Services

Non-English "IDN Email" Addresses Are Finally Working!

TLD Registry to Speak at Inaugural World Domain Day India

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Independent Endorsement of Dot Chinese Online & Dot Chinese Website

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

Introducing the New .ORGANIC Domain: A Trusted, Credible Space for Organic Products on the Web

.WANG - 15,000 Registrations on Day One of General Availability

Dot Brand: Why Your Brand Needs Its Own Top-Level Domain

Afilias Announces Start of .BLACK Sunrise Period

Radix Launches Three New TLDs in Sunrise With Backing from 50+ Registrar Partners

.WANG General Availability Opens on June 30, 2014

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Sponsored Topics