As regular readers know, ICANN holds lengthy, in-depth discussions devoted to DNSSEC at each of its three annual meetings. The half-day session held at ICANN 43 in Costa Rica last month was particularly interesting. What became clear is that the industry is quickly moving into the end-user adoption phase of global DNSSEC deployment.

If you’re not a regular reader, I should quickly explain that DNSSEC (Domain Name System Security Extensions) is the next-generation protocol that enables domain name registrants to give their users a more secure, trustworthy experience. Using cryptographic signatures, DNSSEC prevents man-in-the-middle spoofing attacks, such as the one illustrated by the Kaminsky Bug in 2008.

During the session, attendees first heard from various domain name registries. Staffan Hagnel from .SE, the pioneering Swedish ccTLD operator, explained how the registry persuaded its customers to adopt DNSSEC en masse by offering discounts to registrars. When .SE offered a 2.5% discount, he said, it had almost no effect. However, when the registry doubled the discount to 5% for any domain that was signed by the end of the year, DNSSEC adoption jumped from 4,000 domains to 172,000, literally overnight. It now plans to offer a 7.5% discount with the goal to get to 350,000 signed domains by the end of 2012.

On the ISP side of the deployment initiative, Costa Rica delegates heard from Comcast, the large American ISP that took the bold decision to make all of its DNS servers validating resolvers. It has found that 1.75% of the top 2,000 domains requested by its customers are DNSSEC-aware (often, these same domains are also IPv6-compatible). The main issue Comcast has faced is a lack of consumer education. As I previously discussed, some Internet users thought Comcast was at fault when NASA.gov fumbled its DNSSEC key rollover in January.

Comcast’s temporary solution to this problem is for a standardized “negative trust anchor” that can be placed into validating resolvers. This enables ISPs to create a manually validated exceptions list and avoid cutting off their customers from websites that have accidental DNSSEC issues.

Attendees at ICANN 43 also heard about PayPal’s first-hand experience implementing DNSSEC across its 1,100 domain names. PayPal’s Bill Smith explained how signing all these zones took lots of planning and preparation, starting with the company’s least-used domains and working up to the popular ones. But, he said, that the experience was “not as hard as we might have thought.” The roll out took eight months. He said that the next challenge is creating an effective key rollover strategy. If keys are updated too regularly, it could prove a drain on resources; too infrequently, and institutional DNSSEC knowledge could fade.

PayPal’s experiences are those of an early adopter. DNSSEC will become easier over time as experience is gained and better tools become available. Several panelists at the Costa Rica session remarked that the new BIND 9.9 name server software has a feature that enables “bump in the wire” DNSSEC signing, potentially simplifying deployment. There are also managed DNS services, such as Afilias’ own, which enable one-click DNSSEC deployment and fully outsourced key management.