Home / Blogs

DNSSEC Update from ICANN 42 in Dakar

Ram Mohan

While the global rollout of Domain Name System Security Extensions (DNSSEC) continues at the domain name registry level — with more than 25% of top-level domains now signed — the industry continues to focus on the problem of registrar, ISP and ultimately end-user adoption. At the ICANN meeting in Dakar in late October, engineers from some of the early-adopting registries gathered for their regular face-to-face discussion about how to break the "chicken or egg" problems of secure domain name deployment.

Perhaps the most encouraging update came from CZ.NIC, the manager of Czech country-code top-level domain .cz, which has been aggressively promoting DNSSEC since 2009. According to CZ.NIC's Ondrej Filip, 17% of domains in the .cz zone are now signed. That's 145,000 domains, making .cz probably the most DNSSEC-saturated zone in both relative and absolute numbers.

This level of rapid uptake was achieved through a combination of registrar outreach, incentives, and end-user marketing, Filip said. Registrars received free training, co-marketing assistance and increased rebates from CZ.NIC for signing domains. Three .cz registrars have now signed all of their customers' domains by default and free of charge, which accounts for the big uptick earlier this year.

Larger ccTLDs and gTLDs signed their zones later and have seen lower adoption so far. Roy Arends of Nominet said that 226 domains use DNSSEC in .uk, following the signing of second-level zones such as .co.uk and .org.uk in May. However, Arends also reported seeing increasing levels of DNSSEC queries coming from resolvers, suggesting that ISPs in the UK are beginning to support the technology, bringing secure DNS one step closer to end users.

Vincent Levigneron of .fr registry Afnic said that there are only 30 signed domain names of the two million in .fr, and only 1% of its accredited registrars offer the technology, about a year after .fr was signed. VeriSign's Joe Waldron reported that .com had 4,436 signed domains in mid-October, about six months after DNSSEC went live in the 100-million-strong zone.

Waldron, along with Afilias' Jim Galvin, shared .org data and explained that DNSSEC can be complex for registrars to implement in gTLDs where inter-registrar transfers are commonplace and easy. When a domain name is transferred between two registrars that also bundle DNS with their services, the DNSSEC records must also be transferred. This becomes more complex when a registrant uses a third-party provider for their DNS needs. Mistakes could lead to validation failures and downtime — and that is unacceptable to customers.

Galvin explained that work is underway on best practices for inter-registrar transfers of DNSSEC-signed domains when a third-party operator needs to be in the loop. DNS services currently bundled with registration services will need to be functionally decoupled to make a coordinated handover more reliable, and registrants will need to be well-informed about how to transfer their DNS functionality as well as their domains.

As I've previously written, the road to universal DNSSEC deployment will be long and fraught with challenges. Open industry discussions and the sharing of experiences and best practices — the likes of which we saw once again at ICANN Dakar — can only help make the roll-out shorter and easier for all concerned. DNSSEC deployment is something the Internet is relying on us all to do, and we're getting there, one step at a time.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: Access Providers, DNS, DNS Security, Domain Names, ICANN, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Alabama Joins dotVOTE Movement - Announces Alabama.vote for Its Election Site

LogicBoxes Partners With Domains.Green to Setup Retail & Wholesale Channels for .green Domains

New Top-Level Domain .fit Launches, Announces Partnership with the Arnold Sports Festival

Bauer Media Joins Minds + Machines as a .fishing Pioneer

New .vote TLD Used for Arizona Voters

Afilias Releases 160,000+ Names Across 8 New TLDs

Deal Yourself In: .POKER Names Now Open to All

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

ICANN Business Constituency Elects Elisa Cooper of MarkMonitor as Chair

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

ICANN's Registry Audits Begin Next Week. Are You Prepared?

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

NSW Government Launches .sydney Domain

New .VOTE and .VOTO Domains Now Available

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

Verisign Launches New Monthly Blog Series: Top 10 Keywords Registered in .COM and .NET

.LGBT Public Launch Begins Today

Verisign Celebrates .com's 30th Anniversary, Launches Domain Name Contest

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Port25

Email

Sponsored by
Port25
Afilias

DNS Security

Sponsored by
Afilias
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
dotMobi

Mobile

Sponsored by
dotMobi