Home / Blogs

Say YES to DNSSEC

Ram Mohan

With the latest "DNSpionage" attack, ICANN astutely prompted domain name holders to fully deploy DNSSEC on their names. Afilias absolutely supports this and encourages the same. In this post, I remind you of why DNSSEC is important and our continued role.

Afilias has a long history in the development and advocacy of DNSSEC. In 2007, we partnered with Public Interest Registry to help found dnssec-deployment.org — an organization designed to advance the operational deployment of DNSSEC (also known as the DNSSEC Consortium). This organization conducted a technical review and outreach necessary to develop DNSSEC best practices and the process for singing the root. The activities of DNSSEC Consortium were transitioned to the Internet Society and merged with their Deploy 360 Programme, where advocacy for DNSSEC continues today.

In 2009, Afilias launched our initial DNSSEC services, two years before the root was signed. The DNSSEC Practice Statement (DPS) for all TLDs has evolved since then to align with RFC 6841 (published in January 2013). Afilias deployed DNSSEC in Public Interest Registry's .org in 2009, the largest TLD to do so at the time, which was more than one year before the root was signed. To facilitate the adoption, we actively engaged with select registrars to test the deployment of signing second level domain names and partnered with Public Interest Registry to develop and present multiple webinars to explain DNSSEC to registrars.

For those of you still wondering if you should deploy DNSSEC, let me explain why you should. DNSSEC solves a real security problem: integrity and authentication of DNS information. From the user perspective, this means ensuring a website, email or server location is the one you expect it to be. From the domain registrant perspective, without DNSSEC you are at risk for name server hijacking and cache poisoning and you may not get the traffic you desire, if any at all.

When you have enabled DNSSEC, your DNS information cannot be altered. Here's how you do it:

  1. Ensure your domain's registry and registrar have deployed DNSSEC.
  2. Ensure your DNS hosting provider supports DNSSEC (this may be your registrar unless you have made separate arrangements) and is able to sign (and re-sign) your DNS zone files.
  3. Make this a technical AND marketing win for your organization: Promote to your customers that they can trust your website as it is protected by DNSSEC.
  4. Go one step further: Educate your customers to use and to look for other sites using DNSSEC: ensure their Internet service provider offers a validating DNS resolver, seek and deploy DNSSEC extensions for their favorite applications (e.g., your browser).

If manipulated data is detected, your customers will be taken to an error page — and never to a fake site. Now that is peace of mind!

Today, DNSSEC is opt-in. But with the rise in DNS exploits, it is hard to imagine why anyone would not take this step to ensure trust in their digital identity. Afilias is continuing to explore ways to promote adoption and make it easier for our customers and their registrants to take advantage of this important technology, including easing the deployment process.

By Ram Mohan, Executive Vice President & CTO, Afilias – Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry. Visit Page
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

KSK rollovers Carl Byington  –  Mar 06, 2019 8:16 PM PDT

As part of providing DNSSEC to our customers, we do periodic KSK rollovers. Does Affilias act as a registrar, and if so do you support (or know any registrar that does support) rfc8078?

At least gkg.net has a web interface where we can automatically update the DS records for key rollovers.

For extra points - TOTP 2fa on the web interface to setup the initial set of DS records.

To amplify Carl's comments, our greatest barrier Frank Bulk  –  Mar 09, 2019 2:22 PM PDT

To amplify Carl's comments, our greatest barrier to deploying DNSsec at scale is the lack of API/automation support by the registrars we use.  For the few test domains that we have turned up I have to login every few months to update the keys.  One of the largest registrar's, GoDaddy, does not have an API or RFC 8078 support. Since there's apparently little commercial incentive, the Internet community may need to use other levers to encourage automation, such as making prerequisite to handling certain TLDs.
Good discussion of what Cloudflare has done:
https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/

I moved all of our domains to Carl Byington  –  Mar 11, 2019 10:34 AM PDT

I moved all of our domains to gkg.net simply because they have an api that allows automated ksk key rollover. It has worked nicely for at least the last five years.

See https://www.five-ten-sg.com/mapper/blog/DNSSEC - failure to launch for a summary of the poor state of DNSSEC signing.

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias