Home / Blogs

Slowly Cracking the DNSSEC Code at ICANN 43

Ram Mohan

As regular readers know, ICANN holds lengthy, in-depth discussions devoted to DNSSEC at each of its three annual meetings. The half-day session held at ICANN 43 in Costa Rica last month was particularly interesting. What became clear is that the industry is quickly moving into the end-user adoption phase of global DNSSEC deployment.

If you're not a regular reader, I should quickly explain that DNSSEC (Domain Name System Security Extensions) is the next-generation protocol that enables domain name registrants to give their users a more secure, trustworthy experience. Using cryptographic signatures, DNSSEC prevents man-in-the-middle spoofing attacks, such as the one illustrated by the Kaminsky Bug in 2008.

During the session, attendees first heard from various domain name registries. Staffan Hagnel from .SE, the pioneering Swedish ccTLD operator, explained how the registry persuaded its customers to adopt DNSSEC en masse by offering discounts to registrars. When .SE offered a 2.5% discount, he said, it had almost no effect. However, when the registry doubled the discount to 5% for any domain that was signed by the end of the year, DNSSEC adoption jumped from 4,000 domains to 172,000, literally overnight. It now plans to offer a 7.5% discount with the goal to get to 350,000 signed domains by the end of 2012.

On the ISP side of the deployment initiative, Costa Rica delegates heard from Comcast, the large American ISP that took the bold decision to make all of its DNS servers validating resolvers. It has found that 1.75% of the top 2,000 domains requested by its customers are DNSSEC-aware (often, these same domains are also IPv6-compatible). The main issue Comcast has faced is a lack of consumer education. As I previously discussed, some Internet users thought Comcast was at fault when NASA.gov fumbled its DNSSEC key rollover in January.

Comcast's temporary solution to this problem is for a standardized "negative trust anchor" that can be placed into validating resolvers. This enables ISPs to create a manually validated exceptions list and avoid cutting off their customers from websites that have accidental DNSSEC issues.

Attendees at ICANN 43 also heard about PayPal's first-hand experience implementing DNSSEC across its 1,100 domain names. PayPal's Bill Smith explained how signing all these zones took lots of planning and preparation, starting with the company's least-used domains and working up to the popular ones. But, he said, that the experience was "not as hard as we might have thought." The roll out took eight months. He said that the next challenge is creating an effective key rollover strategy. If keys are updated too regularly, it could prove a drain on resources; too infrequently, and institutional DNSSEC knowledge could fade.

PayPal's experiences are those of an early adopter. DNSSEC will become easier over time as experience is gained and better tools become available. Several panelists at the Costa Rica session remarked that the new BIND 9.9 name server software has a feature that enables "bump in the wire" DNSSEC signing, potentially simplifying deployment. There are also managed DNS services, such as Afilias' own, which enable one-click DNSSEC deployment and fully outsourced key management.

By Ram Mohan, Executive Vice President & CTO, Afilias

Related topics: DNS, DNS Security, ICANN, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

Auctions Update: MMX Wins .law and .vip

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Victorian Government & ARI Agree to Long-Term .melbourne Partnership

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Sponsored Topics