Afilias Project Expands DNSSEC Deployments
As Afilias accelerates DNSSEC for top-level domains, what is the current status for DNSSEC deployment, and what's next?
In a bid to shore up its portion of the Internet's architecture, domain operator Afilias is ramping up its efforts to deploy DNS Security Extensions (DNSSEC) across the top-level domains (TLDs) it supports.
DNSSEC is a technology solution that is intended to help secure and guarantee the authenticity of DNS information, ensuring that the Internet continues to run smoothly.
The issue of securing DNS with DNSSEC grabbed headlines in the summer of 2008, after security researcher Dan Kaminsky revealed security risks with DNS. DNSSEC can resolve those security issues, and deployments have accelerated in 2010, though there is still much work left to be done.
"So far over 50 TLDs have enabled DNSSEC, including the TLDs that Afilias supports," Ram Mohan, executive vice president and CTO at Afilias, told InternetNews.com. "But with more than 270 TLDs in the world, there are a number of operators among gTLD and ccTLDs that are yet to deploy."
Afilias operates multiple TLDs including .org, which was one of the first to be signed for DNSSEC. In total, Afilias has now enabled DNSSEC for 12 of its TLD zones: .org, .info, .ag, .bz, .hn, .lc, .vi, .in, .asia, .gi, .mn, and .sc. The company has not yet announced DNSSEC for the .me, .aero or .mobi TLDs, which it also administers.
The DNSSEC support at Afilias is all part of Project Safeguard. Through the effort, Afilias has provided a global strategy to upgrade its registry and DNS infrastructure across its global technology platforms to support DNSSEC.
In Mohan's view, enabling DNSSEC for .org began the wave of interest in DNSSEC operations among businesses today. Another key driver has been the signing of the DNS root zone for DNSSEC in July of this year.
"While the root being signed is helpful, the next real tipping point in DNSSEC adoption will come after .com is signed and registrars begin to enable DNSSEC in their day-to-day operations," Mohan said. "Registrar action on DNSSEC is required for general website users to add DNSSEC to their domains."
Mohan expects that most registrars will have DNSSEC on their development schedules in the later part of 2011, or into early 2012. VeriSign has publicly stated that the .com and .net registries are set to enable DNSSEC in 2011.
While DNSSEC is viewed as a necessary technology to secure the Internet, deployment is not without cost.
"DNSSEC has been a major, multi-million dollar investment for Afilias since we first deployed DNSSEC for .org beginning in 2009," Mohan said. "We consider this an investment that our registry and DNS service needs to provide, in order to power the next generation of the Internet infrastructure that is required for more advanced security."
After having set up multiple TLDs with DNSSEC, Mohan has a few best practices that he can pass along to others who haven't yet made the move. While Mohan encourages all TLD operators to embrace DNSSEC, he noted that it is not a measure to be taken lightly.
"You should seek guidance from an expert in both DNS and DNSSEC operations," Mohan said. "From a technical standpoint, we advocate that TLD registries adopt NSEC3, and look closely at the business rule changes around RFC 4310 that affect EPP (Extensible Provisioning Protocol) operations in the registry."
He also advocates that TLD operators enhance their DNS operations in order to handle the increases in bandwidth and TCP queries that come with DNSSEC usage.
Moving forward, Mohan noted that in 2011 Afilias will begin its outreach program for registrars, designed to educate them on how best to enable DNSSEC operations in their registration, hosting and DNS operations.
"This is critical to us, because registrars must handle DNSSEC key information between the registrant and all of their managed hosting and DNS providers," Mohan said. "They literally will be managing the keys to the kingdom for sites that deploy DNSSEC."