Home / Blogs

Beyond the Top Level: DNSSEC Deployment at ICANN 40

Ram Mohan

I recently wrote about the encouraging level of DNSSEC adoption among top-level domain name registries, and noted that adoption at the second level and in applications is an important next step for adding more security to the DNS. The root and approximately 20 percent of the top level domains are now signed; it is time for registrars and recursive DNS servers operated by the ISPs to occupy center stage. I'm happy to report that a workshop on the deployment of the DNSSEC protocol at the recent ICANN 40 meeting in San Francisco provided an excellent opportunity for many vital stakeholders to share their views and deployment stories.

DNSSEC, short for Domain Name System Security Extensions, is an enhancement to the DNS protocol that ensures a greater level of trust when resolving domain names. Using DNSSEC, resolvers can validate digital signatures using public cryptographic keys to see whether DNS answers have been tampered with. The protocol is important because, widely deployed, it will curb attacks such as DNS cache poisoning, which can be used to steal money, identities and other valuable data.

ICANN has held DNSSEC workshops during its meetings for several years, but there was an increased level of excitement and participation this time around. This was not only due to the workshop's location close to Silicon Valley; participants also expressed a feeling that DNSSEC is now a reality that needs to be addressed. As moderator Dr. Steve Crocker put it, "DNSSEC is in the ascendency."

During the workshop, attendees heard from companies such as PayPal, the major e-commerce payment processor, which has a DNSSEC roll-out plan it believes will take up to six months to implement. Andy Steingruebl, who manages Internet standards and governance for PayPal, said the company is committed to bringing the security benefits of DNSSEC to its customers, but is taking a cautious approach to deployment. The company will begin by signing some of its smaller, lesser-used DNS zones before it brings the technology to its main site, paypal.com. The fact that a company as large and influential as PayPal has already started to put its DNSSEC plan into action is excellent news.

Delegates also heard some notes of caution. Mozilla's Brian Smith, for example, stated that the Firefox browser will not get native, on-by-default DNSSEC compatibility until the organization is confident that the protocol has been deployed correctly in routers and by people signing their zones. Poorly configured DNSSEC elsewhere could create error messages in the browser that the vast majority of Web surfers would not understand, he noted, prompting them to blame Firefox and switch to a competitor's product. Native browser support seems to be a longer-term goal for the global DNSSEC deployment initiative. Browser plug-ins are, however, already available, and that is where client support will likely come from in the near term.

The message from the domain name industry has been clear for some years: DNSSEC is coming. The new message is that key players from other parts of the e-commerce ecosystem are also coming on board. It's a team effort. With the DNS root and TLDs representing the majority of domain owners now signed, and the first registrars already offering DNSSEC services, it's time for everyone else to take notice. The kind of security provided by DNSSEC will only come to the entire DNS if everybody with a role to play takes part.

By Ram Mohan, Executive Vice President & CTO, Afilias

Related topics: DNS, DNS Security, Registry Services, ICANN, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

General Availability Period for New .RED Top-Level Domain Opens

General Availability Period for New .BLUE Top-Level Domain Opens

General Availability Period for New .PINK Top-Level Domain Opens

New Chinese "Mobile" Top-Level Domain Now Available

New .KIM Domain Goes Live

Welcome .SHIKSHA! General Availability Now Open

Adrian Kinderis Appointed as Chair of Domain Name Association

Internet Reaches 271 Million Domain Names in the Fourth Quarter of 2013

Why We Decided to Stop Offering Free Accounts

The Future of Chinese Domain Names (a Panel Discussion)

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Afilias Chairman Appointed to Domain Name Association Board

.BUILD Enters Landrush with Support of ARI Registry Services

Dyn Acquires Managed DNS Provider Nettica

Radix Awards Contracts for .website, .host, .space, and .press to CentralNic plc

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

Afilias Welcomes "Dot Chinese Online" and "Dot Chinese Website" Top-Level Domains to the Internet

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Sponsored Topics