|
With the latest “DNSpionage” attack, ICANN astutely prompted domain name holders to fully deploy DNSSEC on their names. Afilias absolutely supports this and encourages the same. In this post, I remind you of why DNSSEC is important and our continued role.
Afilias has a long history in the development and advocacy of DNSSEC. In 2007, we partnered with Public Interest Registry to help found dnssec-deployment.org—an organization designed to advance the operational deployment of DNSSEC (also known as the DNSSEC Consortium). This organization conducted a technical review and outreach necessary to develop DNSSEC best practices and the process for singing the root. The activities of DNSSEC Consortium were transitioned to the Internet Society and merged with their Deploy 360 Programme, where advocacy for DNSSEC continues today.
In 2009, Afilias launched our initial DNSSEC services, two years before the root was signed. The DNSSEC Practice Statement (DPS) for all TLDs has evolved since then to align with RFC 6841 (published in January 2013). Afilias deployed DNSSEC in Public Interest Registry’s .org in 2009, the largest TLD to do so at the time, which was more than one year before the root was signed. To facilitate the adoption, we actively engaged with select registrars to test the deployment of signing second level domain names and partnered with Public Interest Registry to develop and present multiple webinars to explain DNSSEC to registrars.
For those of you still wondering if you should deploy DNSSEC, let me explain why you should. DNSSEC solves a real security problem: integrity and authentication of DNS information. From the user perspective, this means ensuring a website, email or server location is the one you expect it to be. From the domain registrant perspective, without DNSSEC you are at risk for name server hijacking and cache poisoning and you may not get the traffic you desire, if any at all.
When you have enabled DNSSEC, your DNS information cannot be altered. Here’s how you do it:
If manipulated data is detected, your customers will be taken to an error page—and never to a fake site. Now that is peace of mind!
Today, DNSSEC is opt-in. But with the rise in DNS exploits, it is hard to imagine why anyone would not take this step to ensure trust in their digital identity. Afilias is continuing to explore ways to promote adoption and make it easier for our customers and their registrants to take advantage of this important technology, including easing the deployment process.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byWhoisXML API
As part of providing DNSSEC to our customers, we do periodic KSK rollovers. Does Affilias act as a registrar, and if so do you support (or know any registrar that does support) rfc8078?
At least gkg.net has a web interface where we can automatically update the DS records for key rollovers.
For extra points - TOTP 2fa on the web interface to setup the initial set of DS records.
To amplify Carl’s comments, our greatest barrier to deploying DNSsec at scale is the lack of API/automation support by the registrars we use. For the few test domains that we have turned up I have to login every few months to update the keys. One of the largest registrar’s, GoDaddy, does not have an API or RFC 8078 support. Since there’s apparently little commercial incentive, the Internet community may need to use other levers to encourage automation, such as making prerequisite to handling certain TLDs.
Good discussion of what Cloudflare has done:
https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/
I moved all of our domains to gkg.net simply because they have an api that allows automated ksk key rollover. It has worked nicely for at least the last five years.
See https://www.five-ten-sg.com/mapper/blog/DNSSEC - failure to launch for a summary of the poor state of DNSSEC signing.