Home / Blogs

DNSSEC Baby Steps Reported at ICANN 41

Ram Mohan

The Internet is slowly beginning to adopt the new DNSSEC domain names standard, but significant challenges remain. That was the main takeaway from a four-hour workshop on the technology held during the recent ICANN 41 public meeting in Singapore, which heard from many domain registries, registrars and other infrastructure providers.

July 15, 2011, was the one-year anniversary of ICANN signing the DNS root system with DNSSEC. While enormous strides have been made since then, such as the signing of key top-level zones, the standard is now entering what may prove to be its trickiest phase of deployment — encouraging usage by domain registrants and the support of the registrars that, in most cases, will act as their gatekeepers.

About 25 percent of all top-level domains have DNSSEC records anchored into the root, enabling their second- and third-level registrants to sign their own zones. Matt Larson of VeriSign, which made DNSSEC available in the .com TLD at the end of March, told ICANN attendees that 26 registrars — seven or eight of them in the top ten by registration volume — have already placed one or more DNSSEC records into the .com zone on behalf of their customers. That's a small but still encouraging number, especially given the short time-span that has elapsed since .com was signed and the relative complexity of implementing DNSSEC. Larson added that one registrar has submitted 1,000 signed domains, and that one individual registrant — obviously a thought-leader — has signed 500 of his own domains.

But the workshop also heard from some who are still skeptical about the technology. Michele Neylon of Blacknight Solutions pointed out that, for a registrar with limited resources, it can be hard to justify the cost of implementing DNSSEC until it can be persuaded of the commercial benefit. In the absence of strong customer demand, registrars may feel their time and effort is be better spent on projects that do more to grow their businesses. There are also unresolved issues around procedures for handling cryptographic key data when a registrant transfers a domain to a new registrar or resolution provider, which have yet to be addressed to the satisfaction of some.

This is one of the chicken-and-egg situations that those in the DNS technical community have been commenting on for most of a decade. Today, possibly the only thing that could provide a sudden sharp uptick in demand would be a broadly publicized threat as serious as 2008's Kaminsky Bug, which DNSSEC would have substantially cured. Of course, not even DNSSEC's strongest proponent would wish for that scenario.

In the absence of a stick as large as Kaminsky #2 would represent, the carrot must suffice. Security-conscious e-commerce companies and financial institutions will lead the way when it comes to showing off DNSSEC as a competitive differentiator, which will help awareness-raising efforts. In addition, ICANN's new gTLD program mandates DNSSEC at the registry level, which will likely inspire many applicants — like potential high-security authenticated zones, such as .secure or .pay — to enforce the protocol at the second level, too.

You have to learn to walk before you can run, and if the ICANN workshop in Singapore demonstrated anything, it's that the global DNSSEC deployment initiative is certainly still in the walking phase. But it is moving, and that's a good thing.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNS Security, ICANN, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

First Premium .yoga Domains Up for Auction

Afilias Releases 160,000+ Names Across 8 New TLDs

Deal Yourself In: .POKER Names Now Open to All

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

Lou Andreozzi to Lead New .Law Top-Level Domain

ICANN Business Constituency Elects Elisa Cooper of MarkMonitor as Chair

PIR Releases Report Detailing Steady Growth of .org Domain in 2014

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

.film to Provide New Home Online for the Film Industry

.VOTE Solves Presidential Candidate Ted Cruz's Domain Name Problem

.green Now in General Availability

ICANN's Registry Audits Begin Next Week. Are You Prepared?

Sunrise Period Begins for .NGO and .ONG

.study & .courses to Launch with Support of ARI Registry Services

We Know This .Sucks

ARI Registry Services Expands Middle East & Africa Operations

Radix Assumes Full Ownership of .online

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

NSW Government Launches .sydney Domain

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Afilias

DNS Security

Sponsored by
Afilias
Verisign

Security

Sponsored by
Verisign
dotMobi

Mobile

Sponsored by
dotMobi