Home / Blogs

Beyond the Top Level: DNSSEC Deployment at ICANN 40

Ram Mohan

I recently wrote about the encouraging level of DNSSEC adoption among top-level domain name registries, and noted that adoption at the second level and in applications is an important next step for adding more security to the DNS. The root and approximately 20 percent of the top level domains are now signed; it is time for registrars and recursive DNS servers operated by the ISPs to occupy center stage. I'm happy to report that a workshop on the deployment of the DNSSEC protocol at the recent ICANN 40 meeting in San Francisco provided an excellent opportunity for many vital stakeholders to share their views and deployment stories.

DNSSEC, short for Domain Name System Security Extensions, is an enhancement to the DNS protocol that ensures a greater level of trust when resolving domain names. Using DNSSEC, resolvers can validate digital signatures using public cryptographic keys to see whether DNS answers have been tampered with. The protocol is important because, widely deployed, it will curb attacks such as DNS cache poisoning, which can be used to steal money, identities and other valuable data.

ICANN has held DNSSEC workshops during its meetings for several years, but there was an increased level of excitement and participation this time around. This was not only due to the workshop's location close to Silicon Valley; participants also expressed a feeling that DNSSEC is now a reality that needs to be addressed. As moderator Dr. Steve Crocker put it, "DNSSEC is in the ascendency."

During the workshop, attendees heard from companies such as PayPal, the major e-commerce payment processor, which has a DNSSEC roll-out plan it believes will take up to six months to implement. Andy Steingruebl, who manages Internet standards and governance for PayPal, said the company is committed to bringing the security benefits of DNSSEC to its customers, but is taking a cautious approach to deployment. The company will begin by signing some of its smaller, lesser-used DNS zones before it brings the technology to its main site, paypal.com. The fact that a company as large and influential as PayPal has already started to put its DNSSEC plan into action is excellent news.

Delegates also heard some notes of caution. Mozilla's Brian Smith, for example, stated that the Firefox browser will not get native, on-by-default DNSSEC compatibility until the organization is confident that the protocol has been deployed correctly in routers and by people signing their zones. Poorly configured DNSSEC elsewhere could create error messages in the browser that the vast majority of Web surfers would not understand, he noted, prompting them to blame Firefox and switch to a competitor's product. Native browser support seems to be a longer-term goal for the global DNSSEC deployment initiative. Browser plug-ins are, however, already available, and that is where client support will likely come from in the near term.

The message from the domain name industry has been clear for some years: DNSSEC is coming. The new message is that key players from other parts of the e-commerce ecosystem are also coming on board. It's a team effort. With the DNS root and TLDs representing the majority of domain owners now signed, and the first registrars already offering DNSSEC services, it's time for everyone else to take notice. The kind of security provided by DNSSEC will only come to the entire DNS if everybody with a role to play takes part.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNSSEC, Registry Services, ICANN, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Minds + Machines in 2014 and 2015

New .VOTE and .VOTO Domains Launched

Consumers Prefer the .ORGANIC Domain for True-Organic Goods

DNW Podcast Interview with Antony Van Couvering

TLD Registry and Right of the Dot Establish a Domain Name Industry "Dream Team"

TLD Registry Ltd Welcomes New Board Members

New .LGBT Top-Level Domain Launched

.sydney Domain Names Now Available in Pre-Release

"Chinese Domaining Masterclass" to be Presented at NamesCon Las Vegas in January 2015

Auction and Sales Channel Update

Radix Set to Launch .SITE TLD in 2015

Annual Manthan Award Event This Week

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

List of New gTLD Availability & Key Information Provided for Download

Radix Launches .Space for Individuals, Freelancers and Professionals

TLD Registry Wins Best Marketing Award at China New gTLD Roadshow

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
dotMobi

Mobile

Sponsored by
dotMobi
Verisign

Security

Sponsored by
Verisign
Afilias

DNSSEC

Sponsored by
Afilias