Home / Blogs

DNSSEC Update from ICANN 42 in Dakar

Ram Mohan

While the global rollout of Domain Name System Security Extensions (DNSSEC) continues at the domain name registry level — with more than 25% of top-level domains now signed — the industry continues to focus on the problem of registrar, ISP and ultimately end-user adoption. At the ICANN meeting in Dakar in late October, engineers from some of the early-adopting registries gathered for their regular face-to-face discussion about how to break the "chicken or egg" problems of secure domain name deployment.

Perhaps the most encouraging update came from CZ.NIC, the manager of Czech country-code top-level domain .cz, which has been aggressively promoting DNSSEC since 2009. According to CZ.NIC's Ondrej Filip, 17% of domains in the .cz zone are now signed. That's 145,000 domains, making .cz probably the most DNSSEC-saturated zone in both relative and absolute numbers.

This level of rapid uptake was achieved through a combination of registrar outreach, incentives, and end-user marketing, Filip said. Registrars received free training, co-marketing assistance and increased rebates from CZ.NIC for signing domains. Three .cz registrars have now signed all of their customers' domains by default and free of charge, which accounts for the big uptick earlier this year.

Larger ccTLDs and gTLDs signed their zones later and have seen lower adoption so far. Roy Arends of Nominet said that 226 domains use DNSSEC in .uk, following the signing of second-level zones such as .co.uk and .org.uk in May. However, Arends also reported seeing increasing levels of DNSSEC queries coming from resolvers, suggesting that ISPs in the UK are beginning to support the technology, bringing secure DNS one step closer to end users.

Vincent Levigneron of .fr registry Afnic said that there are only 30 signed domain names of the two million in .fr, and only 1% of its accredited registrars offer the technology, about a year after .fr was signed. VeriSign's Joe Waldron reported that .com had 4,436 signed domains in mid-October, about six months after DNSSEC went live in the 100-million-strong zone.

Waldron, along with Afilias' Jim Galvin, shared .org data and explained that DNSSEC can be complex for registrars to implement in gTLDs where inter-registrar transfers are commonplace and easy. When a domain name is transferred between two registrars that also bundle DNS with their services, the DNSSEC records must also be transferred. This becomes more complex when a registrant uses a third-party provider for their DNS needs. Mistakes could lead to validation failures and downtime — and that is unacceptable to customers.

Galvin explained that work is underway on best practices for inter-registrar transfers of DNSSEC-signed domains when a third-party operator needs to be in the loop. DNS services currently bundled with registration services will need to be functionally decoupled to make a coordinated handover more reliable, and registrants will need to be well-informed about how to transfer their DNS functionality as well as their domains.

As I've previously written, the road to universal DNSSEC deployment will be long and fraught with challenges. Open industry discussions and the sharing of experiences and best practices — the likes of which we saw once again at ICANN Dakar — can only help make the roll-out shorter and easier for all concerned. DNSSEC deployment is something the Internet is relying on us all to do, and we're getting there, one step at a time.

By Ram Mohan, Executive Vice President & CTO, Afilias

Related topics: Access Providers, DNS, DNS Security, Domain Names, ICANN, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Introducing the New .ORGANIC Domain: A Trusted, Credible Space for Organic Products on the Web

.WANG - 15,000 Registrations on Day One of General Availability

Dot Brand: Why Your Brand Needs Its Own Top-Level Domain

Afilias Announces Start of .BLACK Sunrise Period

Radix Launches Three New TLDs in Sunrise With Backing from 50+ Registrar Partners

.WANG General Availability Opens on June 30, 2014

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

.Press Domain Names - The Changing Face of Journalism

Radix Announces .Website Launch Timeline

.Host Timeline Released As Pioneer Program Kicks Off

Verisign Named to the OTA's 2014 Online Trust Honor Roll

TLD Registry Sponsored Xinnet's Partner Conference in Nanjing

Victorian Government & ARI Agree to Long-Term .melbourne Partnership

.WANG Enters Landrush This Week

Public Interest Registry Offers New Internationalized Domain Names to General Public

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Sponsored Topics