Home / Blogs

DNSSEC Update from ICANN 42 in Dakar

Ram Mohan

While the global rollout of Domain Name System Security Extensions (DNSSEC) continues at the domain name registry level — with more than 25% of top-level domains now signed — the industry continues to focus on the problem of registrar, ISP and ultimately end-user adoption. At the ICANN meeting in Dakar in late October, engineers from some of the early-adopting registries gathered for their regular face-to-face discussion about how to break the "chicken or egg" problems of secure domain name deployment.

Perhaps the most encouraging update came from CZ.NIC, the manager of Czech country-code top-level domain .cz, which has been aggressively promoting DNSSEC since 2009. According to CZ.NIC's Ondrej Filip, 17% of domains in the .cz zone are now signed. That's 145,000 domains, making .cz probably the most DNSSEC-saturated zone in both relative and absolute numbers.

This level of rapid uptake was achieved through a combination of registrar outreach, incentives, and end-user marketing, Filip said. Registrars received free training, co-marketing assistance and increased rebates from CZ.NIC for signing domains. Three .cz registrars have now signed all of their customers' domains by default and free of charge, which accounts for the big uptick earlier this year.

Larger ccTLDs and gTLDs signed their zones later and have seen lower adoption so far. Roy Arends of Nominet said that 226 domains use DNSSEC in .uk, following the signing of second-level zones such as .co.uk and .org.uk in May. However, Arends also reported seeing increasing levels of DNSSEC queries coming from resolvers, suggesting that ISPs in the UK are beginning to support the technology, bringing secure DNS one step closer to end users.

Vincent Levigneron of .fr registry Afnic said that there are only 30 signed domain names of the two million in .fr, and only 1% of its accredited registrars offer the technology, about a year after .fr was signed. VeriSign's Joe Waldron reported that .com had 4,436 signed domains in mid-October, about six months after DNSSEC went live in the 100-million-strong zone.

Waldron, along with Afilias' Jim Galvin, shared .org data and explained that DNSSEC can be complex for registrars to implement in gTLDs where inter-registrar transfers are commonplace and easy. When a domain name is transferred between two registrars that also bundle DNS with their services, the DNSSEC records must also be transferred. This becomes more complex when a registrant uses a third-party provider for their DNS needs. Mistakes could lead to validation failures and downtime — and that is unacceptable to customers.

Galvin explained that work is underway on best practices for inter-registrar transfers of DNSSEC-signed domains when a third-party operator needs to be in the loop. DNS services currently bundled with registration services will need to be functionally decoupled to make a coordinated handover more reliable, and registrants will need to be well-informed about how to transfer their DNS functionality as well as their domains.

As I've previously written, the road to universal DNSSEC deployment will be long and fraught with challenges. Open industry discussions and the sharing of experiences and best practices — the likes of which we saw once again at ICANN Dakar — can only help make the roll-out shorter and easier for all concerned. DNSSEC deployment is something the Internet is relying on us all to do, and we're getting there, one step at a time.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: Access Providers, DNS, DNS Security, Domain Names, ICANN, Security

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

LogicBoxes Launches the New Elite Reseller Program

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Effective Strategies to Build Your Reseller Channel (Webinar)

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

.STORE Grosses Over $1 Million Before the Close of Day 1

News.Markets: A Rising Star in the World of Financial Trading and New TLDs

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Announces .コム Domain Names Are Now Available for Anyone to Register

NBA & NFL Teams Drive .store Sunrise Score to 647

New TLD .STORE Crosses 500+ Sunrise Applications

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Meet Boston Ivy, Home to Some of the Most Specialized TLDs in the Financial Services Sector

Move Beyond Defensive Domain Name Registrations, Towards Strategic Thinking

Is Your TLD Threat Mitigation Strategy up to Scratch?

Verisign Launches New gTLDs for the Korean Market, .닷컴 and .닷넷

Verisign Opens Landrush Program Period for .コム Domain Names

Domain Management Handbook from MarkMonitor

Sponsored Topics

Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Afilias

DNS Security

Sponsored by
Afilias
Port25

Email

Sponsored by
Port25
Verisign

Security

Sponsored by
Verisign