Home / Blogs

DNSSEC Update from ICANN 42 in Dakar

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Ram Mohan

While the global rollout of Domain Name System Security Extensions (DNSSEC) continues at the domain name registry level — with more than 25% of top-level domains now signed — the industry continues to focus on the problem of registrar, ISP and ultimately end-user adoption. At the ICANN meeting in Dakar in late October, engineers from some of the early-adopting registries gathered for their regular face-to-face discussion about how to break the "chicken or egg" problems of secure domain name deployment.

Perhaps the most encouraging update came from CZ.NIC, the manager of Czech country-code top-level domain .cz, which has been aggressively promoting DNSSEC since 2009. According to CZ.NIC's Ondrej Filip, 17% of domains in the .cz zone are now signed. That's 145,000 domains, making .cz probably the most DNSSEC-saturated zone in both relative and absolute numbers.

This level of rapid uptake was achieved through a combination of registrar outreach, incentives, and end-user marketing, Filip said. Registrars received free training, co-marketing assistance and increased rebates from CZ.NIC for signing domains. Three .cz registrars have now signed all of their customers' domains by default and free of charge, which accounts for the big uptick earlier this year.

Larger ccTLDs and gTLDs signed their zones later and have seen lower adoption so far. Roy Arends of Nominet said that 226 domains use DNSSEC in .uk, following the signing of second-level zones such as .co.uk and .org.uk in May. However, Arends also reported seeing increasing levels of DNSSEC queries coming from resolvers, suggesting that ISPs in the UK are beginning to support the technology, bringing secure DNS one step closer to end users.

Vincent Levigneron of .fr registry Afnic said that there are only 30 signed domain names of the two million in .fr, and only 1% of its accredited registrars offer the technology, about a year after .fr was signed. VeriSign's Joe Waldron reported that .com had 4,436 signed domains in mid-October, about six months after DNSSEC went live in the 100-million-strong zone.

Waldron, along with Afilias' Jim Galvin, shared .org data and explained that DNSSEC can be complex for registrars to implement in gTLDs where inter-registrar transfers are commonplace and easy. When a domain name is transferred between two registrars that also bundle DNS with their services, the DNSSEC records must also be transferred. This becomes more complex when a registrant uses a third-party provider for their DNS needs. Mistakes could lead to validation failures and downtime — and that is unacceptable to customers.

Galvin explained that work is underway on best practices for inter-registrar transfers of DNSSEC-signed domains when a third-party operator needs to be in the loop. DNS services currently bundled with registration services will need to be functionally decoupled to make a coordinated handover more reliable, and registrants will need to be well-informed about how to transfer their DNS functionality as well as their domains.

As I've previously written, the road to universal DNSSEC deployment will be long and fraught with challenges. Open industry discussions and the sharing of experiences and best practices — the likes of which we saw once again at ICANN Dakar — can only help make the roll-out shorter and easier for all concerned. DNSSEC deployment is something the Internet is relying on us all to do, and we're getting there, one step at a time.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: Access Providers, Cybersecurity, DNS, DNS Security, Domain Names, ICANN

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Verisign

Cybersecurity

Sponsored by Verisign
Afilias

DNS Security

Sponsored by Afilias

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS