Home / Blogs

Slowly Cracking the DNSSEC Code at ICANN 43

Ram Mohan

As regular readers know, ICANN holds lengthy, in-depth discussions devoted to DNSSEC at each of its three annual meetings. The half-day session held at ICANN 43 in Costa Rica last month was particularly interesting. What became clear is that the industry is quickly moving into the end-user adoption phase of global DNSSEC deployment.

If you're not a regular reader, I should quickly explain that DNSSEC (Domain Name System Security Extensions) is the next-generation protocol that enables domain name registrants to give their users a more secure, trustworthy experience. Using cryptographic signatures, DNSSEC prevents man-in-the-middle spoofing attacks, such as the one illustrated by the Kaminsky Bug in 2008.

During the session, attendees first heard from various domain name registries. Staffan Hagnel from .SE, the pioneering Swedish ccTLD operator, explained how the registry persuaded its customers to adopt DNSSEC en masse by offering discounts to registrars. When .SE offered a 2.5% discount, he said, it had almost no effect. However, when the registry doubled the discount to 5% for any domain that was signed by the end of the year, DNSSEC adoption jumped from 4,000 domains to 172,000, literally overnight. It now plans to offer a 7.5% discount with the goal to get to 350,000 signed domains by the end of 2012.

On the ISP side of the deployment initiative, Costa Rica delegates heard from Comcast, the large American ISP that took the bold decision to make all of its DNS servers validating resolvers. It has found that 1.75% of the top 2,000 domains requested by its customers are DNSSEC-aware (often, these same domains are also IPv6-compatible). The main issue Comcast has faced is a lack of consumer education. As I previously discussed, some Internet users thought Comcast was at fault when NASA.gov fumbled its DNSSEC key rollover in January.

Comcast's temporary solution to this problem is for a standardized "negative trust anchor" that can be placed into validating resolvers. This enables ISPs to create a manually validated exceptions list and avoid cutting off their customers from websites that have accidental DNSSEC issues.

Attendees at ICANN 43 also heard about PayPal's first-hand experience implementing DNSSEC across its 1,100 domain names. PayPal's Bill Smith explained how signing all these zones took lots of planning and preparation, starting with the company's least-used domains and working up to the popular ones. But, he said, that the experience was "not as hard as we might have thought." The roll out took eight months. He said that the next challenge is creating an effective key rollover strategy. If keys are updated too regularly, it could prove a drain on resources; too infrequently, and institutional DNSSEC knowledge could fade.

PayPal's experiences are those of an early adopter. DNSSEC will become easier over time as experience is gained and better tools become available. Several panelists at the Costa Rica session remarked that the new BIND 9.9 name server software has a feature that enables "bump in the wire" DNSSEC signing, potentially simplifying deployment. There are also managed DNS services, such as Afilias' own, which enable one-click DNSSEC deployment and fully outsourced key management.

By Ram Mohan, Executive Vice President & CTO, Afilias

Related topics: DNS, DNS Security, ICANN, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Why We Decided to Stop Offering Free Accounts

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Afilias Chairman Appointed to Domain Name Association Board

Dyn Acquires Managed DNS Provider Nettica

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Afilias Joins Internet Technical Leaders in Welcoming IANA Globalization Progress

Why Managed DNS Means Secure DNS

DotConnectAfrica Trust Takes Its Case With ICANN to Independent Review Process (IRP) Panel

2013: A Year in Review, End of Year Message from DotConnectAfrica

TLDH Announces Sales Channel and gTLD Portfolio Update

Go-Live Schedule for Dot Chinese Online & Dot Chinese Website TLDs Announced

DotConnectAfrica Trust Attends ICANN 48 International Meeting in Buenos Aires, Argentina

TLDH Group Signs 6 New Top-Level Domain Contracts With ICANN

SPECIAL: Updates from the ICANN Meetings in Buenos Aires

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Pre-Delegation Testing for Dot Chinese Online (.在线) & Dot Chinese Website (.中文网) Begins

Sponsored Topics