Home / Blogs

DNSSEC Baby Steps Reported at ICANN 41

Ram Mohan

The Internet is slowly beginning to adopt the new DNSSEC domain names standard, but significant challenges remain. That was the main takeaway from a four-hour workshop on the technology held during the recent ICANN 41 public meeting in Singapore, which heard from many domain registries, registrars and other infrastructure providers.

July 15, 2011, was the one-year anniversary of ICANN signing the DNS root system with DNSSEC. While enormous strides have been made since then, such as the signing of key top-level zones, the standard is now entering what may prove to be its trickiest phase of deployment — encouraging usage by domain registrants and the support of the registrars that, in most cases, will act as their gatekeepers.

About 25 percent of all top-level domains have DNSSEC records anchored into the root, enabling their second- and third-level registrants to sign their own zones. Matt Larson of VeriSign, which made DNSSEC available in the .com TLD at the end of March, told ICANN attendees that 26 registrars — seven or eight of them in the top ten by registration volume — have already placed one or more DNSSEC records into the .com zone on behalf of their customers. That's a small but still encouraging number, especially given the short time-span that has elapsed since .com was signed and the relative complexity of implementing DNSSEC. Larson added that one registrar has submitted 1,000 signed domains, and that one individual registrant — obviously a thought-leader — has signed 500 of his own domains.

But the workshop also heard from some who are still skeptical about the technology. Michele Neylon of Blacknight Solutions pointed out that, for a registrar with limited resources, it can be hard to justify the cost of implementing DNSSEC until it can be persuaded of the commercial benefit. In the absence of strong customer demand, registrars may feel their time and effort is be better spent on projects that do more to grow their businesses. There are also unresolved issues around procedures for handling cryptographic key data when a registrant transfers a domain to a new registrar or resolution provider, which have yet to be addressed to the satisfaction of some.

This is one of the chicken-and-egg situations that those in the DNS technical community have been commenting on for most of a decade. Today, possibly the only thing that could provide a sudden sharp uptick in demand would be a broadly publicized threat as serious as 2008's Kaminsky Bug, which DNSSEC would have substantially cured. Of course, not even DNSSEC's strongest proponent would wish for that scenario.

In the absence of a stick as large as Kaminsky #2 would represent, the carrot must suffice. Security-conscious e-commerce companies and financial institutions will lead the way when it comes to showing off DNSSEC as a competitive differentiator, which will help awareness-raising efforts. In addition, ICANN's new gTLD program mandates DNSSEC at the registry level, which will likely inspire many applicants — like potential high-security authenticated zones, such as .secure or .pay — to enforce the protocol at the second level, too.

You have to learn to walk before you can run, and if the ICANN workshop in Singapore demonstrated anything, it's that the global DNSSEC deployment initiative is certainly still in the walking phase. But it is moving, and that's a good thing.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNS Security, ICANN, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

40+ Pioneers Signed on for .TECH, as it Enters EAP Today‚Ä®

WeddingWire Joins Minds + Machines As New TLD '.Wedding' Pioneer

Minds + Machines and ALM Media Announce Strategic Partnership on .law

Independent Review Panel Favored DotConnectAfrica Trust Against ICANN Ruling Over .Africa Domain

Carlsberg Group Joins Minds + Machines Pioneer Program

Introducing the Verisign DNS Firewall

In Celebration of Marriage Equality Each New .LGBT Name Donates $20 to the It Gets Better Project

Afilias Adds .PROMO to Its Expanding List of Top Level Domains

LogicBoxes Helps .MN Registry Grow by 350%

TLD Security, Spec 11 and Business Implications

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

LogicBoxes Powers .NGO & .ONG Retail and Wholesale Channels for ENSET

3 Key Steps for SMBs to Protect Their Website and Critical Internet Services

Key Considerations for Selecting a Managed DNS Provider

Verisign Mitigates More DDoS Attacks in Q1 2015 than Any Quarter in 2014

Alabama Joins dotVOTE Movement - Announces Alabama.vote for Its Election Site

LogicBoxes Partners With Domains.Green to Setup Retail & Wholesale Channels for .green Domains

New Top-Level Domain .fit Launches, Announces Partnership with the Arnold Sports Festival

Bauer Media Joins Minds + Machines as a .fishing Pioneer

Sponsored Topics