The Internet is slowly beginning to adopt the new DNSSEC domain names standard, but significant challenges remain. That was the main takeaway from a four-hour workshop on the technology held during the recent ICANN 41 public meeting in Singapore, which heard from many domain registries, registrars and other infrastructure providers.

July 15, 2011, was the one-year anniversary of ICANN signing the DNS root system with DNSSEC. While enormous strides have been made since then, such as the signing of key top-level zones, the standard is now entering what may prove to be its trickiest phase of deployment -- encouraging usage by domain registrants and the support of the registrars that, in most cases, will act as their gatekeepers.

About 25 percent of all top-level domains have DNSSEC records anchored into the root, enabling their second- and third-level registrants to sign their own zones. Matt Larson of VeriSign, which made DNSSEC available in the .com TLD at the end of March, told ICANN attendees that 26 registrars -- seven or eight of them in the top ten by registration volume -- have already placed one or more DNSSEC records into the .com zone on behalf of their customers. That's a small but still encouraging number, especially given the short time-span that has elapsed since .com was signed and the relative complexity of implementing DNSSEC. Larson added that one registrar has submitted 1,000 signed domains, and that one individual registrant –- obviously a thought-leader -– has signed 500 of his own domains.

But the workshop also heard from some who are still skeptical about the technology. Michele Neylon of Blacknight Solutions pointed out that, for a registrar with limited resources, it can be hard to justify the cost of implementing DNSSEC until it can be persuaded of the commercial benefit. In the absence of strong customer demand, registrars may feel their time and effort is be better spent on projects that do more to grow their businesses. There are also unresolved issues around procedures for handling cryptographic key data when a registrant transfers a domain to a new registrar or resolution provider, which have yet to be addressed to the satisfaction of some.

This is one of the chicken-and-egg situations that those in the DNS technical community have been commenting on for most of a decade. Today, possibly the only thing that could provide a sudden sharp uptick in demand would be a broadly publicized threat as serious as 2008's Kaminsky Bug, which DNSSEC would have substantially cured. Of course, not even DNSSEC's strongest proponent would wish for that scenario.

In the absence of a stick as large as Kaminsky #2 would represent, the carrot must suffice. Security-conscious e-commerce companies and financial institutions will lead the way when it comes to showing off DNSSEC as a competitive differentiator, which will help awareness-raising efforts. In addition, ICANN's new gTLD program mandates DNSSEC at the registry level, which will likely inspire many applicants -- like potential high-security authenticated zones, such as .secure or .pay -- to enforce the protocol at the second level, too.

You have to learn to walk before you can run, and if the ICANN workshop in Singapore demonstrated anything, it's that the global DNSSEC deployment initiative is certainly still in the walking phase. But it is moving, and that's a good thing.

Visit Afilias and dotMobi at HostingCon booth #226.  Find out how easy it is to set-up a mobile-user friendly website with GoMobi, and how to ensure 100% uptime of your DNS with Afilias' FlexDNS.

• ‹ previous
• 101 of 105
• next ›

Join Afilias and your peers at this free networking event hosted by the Web Host Industry Review. Tasty appetizers and drinks will be provided at Mabel's on Main, . Don't forget to RSVP!

Join Afilias and your peers at this free networking event hosted by the Web Host Industry Review. Tasty appetizers and drinks will be provided at Koko Restaurant and Bar, Montreal's hottest new drinking and socializing destination. Don't forget to RSVP!

I recently wrote about the encouraging level of DNSSEC adoption among top-level domain name registries, and noted that adoption at the second level and in applications is an important next step for adding more security to the DNS. The root and approximately 20 percent of the top level domains are now signed; it is time for registrars and recursive DNS servers operated by the ISPs to occupy center stage. I'm happy to report that a workshop on the deployment of the DNSSEC protocol at the recent ICANN 40 meeting in San Francisco provided an excellent opportunity for many vital stakeholders to share their views and deployment stories.

DNSSEC, short for Domain Name System Security Extensions, is an enhancement to the DNS protocol that ensures a greater level of trust when resolving domain names. Using DNSSEC, resolvers can validate digital signatures using public cryptographic keys to see whether DNS answers have been tampered with. The protocol is important because, widely deployed, it will curb attacks such as DNS cache poisoning, which can be used to steal money, identities and other valuable data.

ICANN has held DNSSEC workshops during its meetings for several years, but there was an increased level of excitement and participation this time around. This was not only due to the workshop’s location close to Silicon Valley; participants also expressed a feeling that DNSSEC is now a reality that needs to be addressed. As moderator Dr. Steve Crocker put it, "DNSSEC is in the ascendency."

During the workshop, attendees heard from companies such as PayPal, the major e-commerce payment processor, which has a DNSSEC roll-out plan it believes will take up to six months to implement. Andy Steingruebl, who manages Internet standards and governance for PayPal, said the company is committed to bringing the security benefits of DNSSEC to its customers, but is taking a cautious approach to deployment. The company will begin by signing some of its smaller, lesser-used DNS zones before it brings the technology to its main site, paypal.com. The fact that a company as large and influential as PayPal has already started to put its DNSSEC plan into action is excellent news.

Delegates also heard some notes of caution. Mozilla's Brian Smith, for example, stated that the Firefox browser will not get native, on-by-default DNSSEC compatibility until the organization is confident that the protocol has been deployed correctly in routers and by people signing their zones. Poorly configured DNSSEC elsewhere could create error messages in the browser that the vast majority of Web surfers would not understand, he noted, prompting them to blame Firefox and switch to a competitor's product. Native browser support seems to be a longer-term goal for the global DNSSEC deployment initiative. Browser plug-ins are, however, already available, and that is where client support will likely come from in the near term.

Right now, DNS service providers are doing their parts. A collection of services from various vendors, including Afilias' own One Click DNSSEC, have recently launched to make it easier for companies to secure their zones without getting into the complex technical guts of key generation, management and rollover.

The message from the domain name industry has been clear for some years: DNSSEC is coming. The new message is that key players from other parts of the e-commerce ecosystem are also coming on board. It's a team effort. With the DNS root and TLDs representing the majority of domain owners now signed, and the first registrars already offering DNSSEC services, it's time for everyone else to take notice. The kind of security provided by DNSSEC will only come to the entire DNS if everybody with a role to play takes part.

Less than nine months after the DNS root was signed, the rollout of DNSSEC across the Internet's top-level domains is approaching the tipping point. Thanks to the combined efforts of registries around the world, the new security protocol will soon be available to the majority of domain name registrants in almost a quarter of all TLDs.

As a reminder, DNSSEC — Domain Name System Security Extensions — is a trust upgrade to the decades-old DNS protocol. Using DNSSEC, resolvers are able to ensure that no one or nothing has tampered with DNS messages by validating their cryptographic signatures. The technology goes a long way in protecting Internet users from attacks, like cache poisoning, that have the potential to undermine the trust we all place in electronic commerce.

According to ICANN's latest statistics, more than 20% of the world's TLDs have now implemented DNSSEC in their zones: 69 are signed, and 62 have also published the signatures in the root zone, meaning they are fully DNSSEC-compatible. This rapid uptake has been driven by the concerted efforts of TLD registries. Since the landmark DNSSEC signing of .org in 2010, Afilias has been rolling out the technology to all of the gTLDs and ccTLDs for which we provide registry services as part of our “Project Safeguard.” Registrants of .info domains can now use DNSSEC, and we have also announced the signing of the .in, .me, .gi, .mn and .sc zones, among others.

Other ccTLDs have also recently been signed, but two of the largest recent DNSSEC deployments have occurred in .net and .com, which together account for more than half of the world's existing domain name registrations. While the .net implementation is now complete, .com is currently serving DNSSEC information that deliberately cannot be validated. The .com domain will not be fully "switched on" until the end of the month. When this happens, of the seven "original" gTLDs, only .mil and .int will remain unsigned.

DNSSEC availability in .com will also prove to be a landmark in terms of raising awareness among domain name registrants. It's great that so many TLDs are being signed, but this is of little use to Web surfers until second-level registrants also begin to sign their zones. Registrars are already launching services to simplify what is a complex technology to deploy and manage, but these need to be used.

When major corporations that have their primary website at a .com domain begin to publicly deploy the technology, DNSSEC will likely begin to market itself in a viral manner. Much like a newly launched TLD needs well-known brands to adopt its domains, a few big "anchor tenants" will also prove priceless for spreading the word about DNSSEC. When major e-commerce, financial services and social networking sites start to openly embrace the specification, it should become a competitive imperative for others to do the same so that they avoid appearing less secure than their rivals. With a bit of luck, at this time next year, I will be writing about the encouraging level of DNSSEC adoption at the second level of the domain name system, rather than at the top level.

Join Afilias and your peers at this free networking event hosted by the Web Host Industry Review. Tasty appetizers and drinks will be provided at Aurum, Atlanta’s new lounge and speakeasy endowed with amazing decor, friendly service, and blissful ambiance.  Don't forget to RSVP!

Join Afilias and your peers at this free networking event hosted by the Web Host Industry Review. Tasty appetizers and drinks will be provided at C LOUNGE  a spa inspired bar, the first of its kind in Toronto.  Don't forget to RSVP!

Join Afilias and your peers at this free networking event hosted by the Web Host Industry Review. Tasty appetizers and drinks will be provided at Rockit Bar and Grill located in the heart of the booming River North Neighborhood. Don't forget to RSVP!

The new .bayern TLD will reinforce the unique geographic identity of the businesses and inhabitants of Bavaria, Germany’s second-most populous state.

Munich, March 17, 2011 — PunktBayern, the company behind the upcoming new top level geographic domain .bayern, today announced that it has chosen Afilias as its partner for registry and DNS services.

Afilias, a leading global provider of Internet infrastructure services, will also work closely with PunktBayern on its upcoming top level domain (TLD) application to the Internet Corporation for Assigned Names and Numbers (ICANN). This initiative will be part of ICANN’s planned TLD expansion program, anticipated to start in the latter half of 2011.

PunktBayern — German for “dotBavaria” — was founded in 2006 specifically to bring the .bayern TLD to market. The TLD is designed to reinforce the unique geographic identity of the businesses and inhabitants of Bavaria, the second-most populous state in Germany with 2.5 million residents.

“PunktBayern wanted to work with a company who could provide a reliable registry infrastructure for the launch and growth of the .bayern TLD. We selected Afilias based on its outstanding support for a diverse range of TLDs since 2001 with the launch of .INFO,” said Lothar Kunz, managing director of PunktBayern GmbH & Co. KG. “Thanks to Afilias, PunktBayern will be able to focus on growing the recognition of .bayern in the marketplace since we know that Afilias will be able to successfully handle all the ‘back-end’ services for us.”

Kunz added, “PunktBayern plans to establish the .bayern domain by focusing on websites that will make Bavarian products and services easily available around the world. Down the road, .bayern will also play an important role as a virtual gate to Bavaria, where citizens will intuitively find e-government services.”

Roland LaPlante, Senior Vice President of Afilias, said, “Afilias is proud to have been selected to help bring .bayern to market. Given the unique nature of the Bavarian region, PunktBayern has strong potential to extend this identity on the Internet and provide a superior TLD choice compared to generic TLDs.”

About PunktBayern®
PunktBayern is the company behind the .bayern top level domain for Bavaria, designed to give Bavarians a unique Internet identity. Any Bavarian-based person, company or organization can register .bayern domains once they are commercially available. PunktBayern will also work closely with the government of the State of Bavaria to ensure that .bayern supports the needs of all Bavarians. More information about PunktBayern is available at www.punktbayern.de.

About Afilias
Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias, visit www.afilias.info.