Home / Blogs

Slowly Cracking the DNSSEC Code at ICANN 43

Ram Mohan

As regular readers know, ICANN holds lengthy, in-depth discussions devoted to DNSSEC at each of its three annual meetings. The half-day session held at ICANN 43 in Costa Rica last month was particularly interesting. What became clear is that the industry is quickly moving into the end-user adoption phase of global DNSSEC deployment.

If you're not a regular reader, I should quickly explain that DNSSEC (Domain Name System Security Extensions) is the next-generation protocol that enables domain name registrants to give their users a more secure, trustworthy experience. Using cryptographic signatures, DNSSEC prevents man-in-the-middle spoofing attacks, such as the one illustrated by the Kaminsky Bug in 2008.

During the session, attendees first heard from various domain name registries. Staffan Hagnel from .SE, the pioneering Swedish ccTLD operator, explained how the registry persuaded its customers to adopt DNSSEC en masse by offering discounts to registrars. When .SE offered a 2.5% discount, he said, it had almost no effect. However, when the registry doubled the discount to 5% for any domain that was signed by the end of the year, DNSSEC adoption jumped from 4,000 domains to 172,000, literally overnight. It now plans to offer a 7.5% discount with the goal to get to 350,000 signed domains by the end of 2012.

On the ISP side of the deployment initiative, Costa Rica delegates heard from Comcast, the large American ISP that took the bold decision to make all of its DNS servers validating resolvers. It has found that 1.75% of the top 2,000 domains requested by its customers are DNSSEC-aware (often, these same domains are also IPv6-compatible). The main issue Comcast has faced is a lack of consumer education. As I previously discussed, some Internet users thought Comcast was at fault when NASA.gov fumbled its DNSSEC key rollover in January.

Comcast's temporary solution to this problem is for a standardized "negative trust anchor" that can be placed into validating resolvers. This enables ISPs to create a manually validated exceptions list and avoid cutting off their customers from websites that have accidental DNSSEC issues.

Attendees at ICANN 43 also heard about PayPal's first-hand experience implementing DNSSEC across its 1,100 domain names. PayPal's Bill Smith explained how signing all these zones took lots of planning and preparation, starting with the company's least-used domains and working up to the popular ones. But, he said, that the experience was "not as hard as we might have thought." The roll out took eight months. He said that the next challenge is creating an effective key rollover strategy. If keys are updated too regularly, it could prove a drain on resources; too infrequently, and institutional DNSSEC knowledge could fade.

PayPal's experiences are those of an early adopter. DNSSEC will become easier over time as experience is gained and better tools become available. Several panelists at the Costa Rica session remarked that the new BIND 9.9 name server software has a feature that enables "bump in the wire" DNSSEC signing, potentially simplifying deployment. There are also managed DNS services, such as Afilias' own, which enable one-click DNSSEC deployment and fully outsourced key management.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNS Security, ICANN, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

ICANN's Registry Audits Begin Next Week. Are You Prepared?

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

Video Interviews from ICANN 51 in Los Angeles

ICANN Los Angeles Recap Webinar

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

Auctions Update: MMX Wins .law and .vip

Sponsored Topics



Sponsored by


Sponsored by

DNS Security

Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines