Home / Blogs

DNSSEC Baby Steps Reported at ICANN 41

The Internet is slowly beginning to adopt the new DNSSEC domain names standard, but significant challenges remain. That was the main takeaway from a four-hour workshop on the technology held during the recent ICANN 41 public meeting in Singapore, which heard from many domain registries, registrars and other infrastructure providers.

July 15, 2011, was the one-year anniversary of ICANN signing the DNS root system with DNSSEC. While enormous strides have been made since then, such as the signing of key top-level zones, the standard is now entering what may prove to be its trickiest phase of deployment—encouraging usage by domain registrants and the support of the registrars that, in most cases, will act as their gatekeepers.

About 25 percent of all top-level domains have DNSSEC records anchored into the root, enabling their second- and third-level registrants to sign their own zones. Matt Larson of VeriSign, which made DNSSEC available in the .com TLD at the end of March, told ICANN attendees that 26 registrars—seven or eight of them in the top ten by registration volume—have already placed one or more DNSSEC records into the .com zone on behalf of their customers. That’s a small but still encouraging number, especially given the short time-span that has elapsed since .com was signed and the relative complexity of implementing DNSSEC. Larson added that one registrar has submitted 1,000 signed domains, and that one individual registrant—obviously a thought-leader—has signed 500 of his own domains.

But the workshop also heard from some who are still skeptical about the technology. Michele Neylon of Blacknight Solutions pointed out that, for a registrar with limited resources, it can be hard to justify the cost of implementing DNSSEC until it can be persuaded of the commercial benefit. In the absence of strong customer demand, registrars may feel their time and effort is be better spent on projects that do more to grow their businesses. There are also unresolved issues around procedures for handling cryptographic key data when a registrant transfers a domain to a new registrar or resolution provider, which have yet to be addressed to the satisfaction of some.

This is one of the chicken-and-egg situations that those in the DNS technical community have been commenting on for most of a decade. Today, possibly the only thing that could provide a sudden sharp uptick in demand would be a broadly publicized threat as serious as 2008’s Kaminsky Bug, which DNSSEC would have substantially cured. Of course, not even DNSSEC’s strongest proponent would wish for that scenario.

In the absence of a stick as large as Kaminsky #2 would represent, the carrot must suffice. Security-conscious e-commerce companies and financial institutions will lead the way when it comes to showing off DNSSEC as a competitive differentiator, which will help awareness-raising efforts. In addition, ICANN’s new gTLD program mandates DNSSEC at the registry level, which will likely inspire many applicants—like potential high-security authenticated zones, such as .secure or .pay—to enforce the protocol at the second level, too.

You have to learn to walk before you can run, and if the ICANN workshop in Singapore demonstrated anything, it’s that the global DNSSEC deployment initiative is certainly still in the walking phase. But it is moving, and that’s a good thing.

By Ram Mohan, Chief Operating Officer at Afilias

Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API