With the latest “DNSpionage” attack, ICANN astutely prompted domain name holders to fully deploy DNSSEC on their names. Afilias absolutely supports this and encourages the same. In this post, I remind you of why DNSSEC is important and our continued role.

Afilias has a long history in the development and advocacy of DNSSEC. In 2007, we partnered with Public Interest Registry to help found dnssec-deployment.org—an organization designed to advance the operational deployment of DNSSEC (also known as the DNSSEC Consortium). This organization conducted a technical review and outreach necessary to develop DNSSEC best practices and the process for singing the root. The activities of DNSSEC Consortium were transitioned to the Internet Society and merged with their Deploy 360 Programme, where advocacy for DNSSEC continues today.

In 2009, Afilias launched our initial DNSSEC services, two years before the root was signed. The DNSSEC Practice Statement (DPS) for all TLDs has evolved since then to align with RFC 6841 (published in January 2013). Afilias deployed DNSSEC in Public Interest Registry’s .org in 2009, the largest TLD to do so at the time, which was more than one year before the root was signed. To facilitate the adoption, we actively engaged with select registrars to test the deployment of signing second level domain names and partnered with Public Interest Registry to develop and present multiple webinars to explain DNSSEC to registrars.

For those of you still wondering if you should deploy DNSSEC, let me explain why you should. DNSSEC solves a real security problem: integrity and authentication of DNS information. From the user perspective, this means ensuring a website, email or server location is the one you expect it to be. From the domain registrant perspective, without DNSSEC you are at risk for name server hijacking and cache poisoning and you may not get the traffic you desire, if any at all.

When you have enabled DNSSEC, your DNS information cannot be altered. Here’s how you do it:

1. Ensure your domain’s registry and registrar have deployed DNSSEC.
2. Ensure your DNS hosting provider supports DNSSEC (this may be your registrar unless you have made separate arrangements) and is able to sign (and re-sign) your DNS zone files.
3. Make this a technical AND marketing win for your organization: Promote to your customers that they can trust your website as it is protected by DNSSEC.
4. Go one step further: Educate your customers to use and to look for other sites using DNSSEC: ensure their Internet service provider offers a validating DNS resolver, seek and deploy DNSSEC extensions for their favorite applications (e.g., your browser).

If manipulated data is detected, your customers will be taken to an error page—and never to a fake site. Now that is peace of mind!

Today, DNSSEC is opt-in. But with the rise in DNS exploits, it is hard to imagine why anyone would not take this step to ensure trust in their digital identity. Afilias is continuing to explore ways to promote adoption and make it easier for our customers and their registrants to take advantage of this important technology, including easing the deployment process.