Home / Blogs

Beyond the Top Level: DNSSEC Deployment at ICANN 40

Ram Mohan

I recently wrote about the encouraging level of DNSSEC adoption among top-level domain name registries, and noted that adoption at the second level and in applications is an important next step for adding more security to the DNS. The root and approximately 20 percent of the top level domains are now signed; it is time for registrars and recursive DNS servers operated by the ISPs to occupy center stage. I'm happy to report that a workshop on the deployment of the DNSSEC protocol at the recent ICANN 40 meeting in San Francisco provided an excellent opportunity for many vital stakeholders to share their views and deployment stories.

DNSSEC, short for Domain Name System Security Extensions, is an enhancement to the DNS protocol that ensures a greater level of trust when resolving domain names. Using DNSSEC, resolvers can validate digital signatures using public cryptographic keys to see whether DNS answers have been tampered with. The protocol is important because, widely deployed, it will curb attacks such as DNS cache poisoning, which can be used to steal money, identities and other valuable data.

ICANN has held DNSSEC workshops during its meetings for several years, but there was an increased level of excitement and participation this time around. This was not only due to the workshop's location close to Silicon Valley; participants also expressed a feeling that DNSSEC is now a reality that needs to be addressed. As moderator Dr. Steve Crocker put it, "DNSSEC is in the ascendency."

During the workshop, attendees heard from companies such as PayPal, the major e-commerce payment processor, which has a DNSSEC roll-out plan it believes will take up to six months to implement. Andy Steingruebl, who manages Internet standards and governance for PayPal, said the company is committed to bringing the security benefits of DNSSEC to its customers, but is taking a cautious approach to deployment. The company will begin by signing some of its smaller, lesser-used DNS zones before it brings the technology to its main site, paypal.com. The fact that a company as large and influential as PayPal has already started to put its DNSSEC plan into action is excellent news.

Delegates also heard some notes of caution. Mozilla's Brian Smith, for example, stated that the Firefox browser will not get native, on-by-default DNSSEC compatibility until the organization is confident that the protocol has been deployed correctly in routers and by people signing their zones. Poorly configured DNSSEC elsewhere could create error messages in the browser that the vast majority of Web surfers would not understand, he noted, prompting them to blame Firefox and switch to a competitor's product. Native browser support seems to be a longer-term goal for the global DNSSEC deployment initiative. Browser plug-ins are, however, already available, and that is where client support will likely come from in the near term.

The message from the domain name industry has been clear for some years: DNSSEC is coming. The new message is that key players from other parts of the e-commerce ecosystem are also coming on board. It's a team effort. With the DNS root and TLDs representing the majority of domain owners now signed, and the first registrars already offering DNSSEC services, it's time for everyone else to take notice. The kind of security provided by DNSSEC will only come to the entire DNS if everybody with a role to play takes part.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNS Security, Registry Services, ICANN, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

.ONLINE GA Launches with 28,000 Registrations in the First 30 Minutes

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

.ONLINE Sees the Biggest Generic Sunrise Ever

Influential Law Firms Have Become Early Adopters of '.law' TLD

.Online Receives 550+ Sunrise Requests, a Fortnight Still to Go

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

40+ Pioneers Signed on for .TECH, as it Enters EAP Today‚Ä®

WeddingWire Joins Minds + Machines As New TLD '.Wedding' Pioneer

Minds + Machines and ALM Media Announce Strategic Partnership on .law

Independent Review Panel Favored DotConnectAfrica Trust Against ICANN Ruling Over .Africa Domain

Carlsberg Group Joins Minds + Machines Pioneer Program

Introducing the Verisign DNS Firewall

In Celebration of Marriage Equality Each New .LGBT Name Donates $20 to the It Gets Better Project

Afilias Adds .PROMO to Its Expanding List of Top Level Domains

LogicBoxes Helps .MN Registry Grow by 350%

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

LogicBoxes Powers .NGO & .ONG Retail and Wholesale Channels for ENSET

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Sponsored Topics