Home / Blogs

Slowly Cracking the DNSSEC Code at ICANN 43

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Ram Mohan

As regular readers know, ICANN holds lengthy, in-depth discussions devoted to DNSSEC at each of its three annual meetings. The half-day session held at ICANN 43 in Costa Rica last month was particularly interesting. What became clear is that the industry is quickly moving into the end-user adoption phase of global DNSSEC deployment.

If you're not a regular reader, I should quickly explain that DNSSEC (Domain Name System Security Extensions) is the next-generation protocol that enables domain name registrants to give their users a more secure, trustworthy experience. Using cryptographic signatures, DNSSEC prevents man-in-the-middle spoofing attacks, such as the one illustrated by the Kaminsky Bug in 2008.

During the session, attendees first heard from various domain name registries. Staffan Hagnel from .SE, the pioneering Swedish ccTLD operator, explained how the registry persuaded its customers to adopt DNSSEC en masse by offering discounts to registrars. When .SE offered a 2.5% discount, he said, it had almost no effect. However, when the registry doubled the discount to 5% for any domain that was signed by the end of the year, DNSSEC adoption jumped from 4,000 domains to 172,000, literally overnight. It now plans to offer a 7.5% discount with the goal to get to 350,000 signed domains by the end of 2012.

On the ISP side of the deployment initiative, Costa Rica delegates heard from Comcast, the large American ISP that took the bold decision to make all of its DNS servers validating resolvers. It has found that 1.75% of the top 2,000 domains requested by its customers are DNSSEC-aware (often, these same domains are also IPv6-compatible). The main issue Comcast has faced is a lack of consumer education. As I previously discussed, some Internet users thought Comcast was at fault when NASA.gov fumbled its DNSSEC key rollover in January.

Comcast's temporary solution to this problem is for a standardized "negative trust anchor" that can be placed into validating resolvers. This enables ISPs to create a manually validated exceptions list and avoid cutting off their customers from websites that have accidental DNSSEC issues.

Attendees at ICANN 43 also heard about PayPal's first-hand experience implementing DNSSEC across its 1,100 domain names. PayPal's Bill Smith explained how signing all these zones took lots of planning and preparation, starting with the company's least-used domains and working up to the popular ones. But, he said, that the experience was "not as hard as we might have thought." The roll out took eight months. He said that the next challenge is creating an effective key rollover strategy. If keys are updated too regularly, it could prove a drain on resources; too infrequently, and institutional DNSSEC knowledge could fade.

PayPal's experiences are those of an early adopter. DNSSEC will become easier over time as experience is gained and better tools become available. Several panelists at the Costa Rica session remarked that the new BIND 9.9 name server software has a feature that enables "bump in the wire" DNSSEC signing, potentially simplifying deployment. There are also managed DNS services, such as Afilias' own, which enable one-click DNSSEC deployment and fully outsourced key management.

By Ram Mohan, Executive Vice President & CTO, Afilias. Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Related topics: DNS, DNS Security, ICANN, Security



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll