The Workshop began with a moderately detailed review of the history
of DNSSEC, from its beginnings in 1993 through the evolution of the
DNS during which it became a critical infrastructure protocol.
Everything that we do on the Internet depends on the DNS. It is the
foundation upon which all applications and services are built.
Without the DNS virtually nothing would work.
DNSSEC is an opportunity for the next evolutionary step in the
Internet. It's an opportunity to provide the foundation for a new
secure, a new safe Internet for everyone. With DNSSEC you get
certain guarantees about the site that you're going to and the
service that you're trying to communicate with. We need DNSSEC for
the future. We need it for the next step of what the Internet will
become moving forward.
Like any new technology, DNSSEC requires preparation. While its
deployment is relatively new we do have a lot of experience. The
early adopters have a lot to offer from their experiences. There is
a fair amount of free software out there, for those who want to
engage in the deployment of DNSSEC on their own. There are a number
of service providers who have services to offer to facilitate your
deployment of DNSSEC.
Beginning with the root, each panelist presented some moderately
detailed summaries about their deployment experience. ICANN, along
with their partners VeriSign and NTIA, are the keepers of the top of
the chain of trust, probably the single most important point in the
DNS hierarchy. They chose very high-end processes and procedures to
manage the signing of the root, and they did so in a very open and
transparent way including the entire Internet community in the
process. Some very detailed statistics were presented clearly
showing that with planning and careful execution the transition of
the root zone, perhaps the most important zone in the DNS, from
unsigned to signed could be executed without incident.
Three top-level domain registries and one registry service provider
provided a review of their experiences. Each included their
specific recommendation for what worked for them.
Finally, from a user perspective, the Internet Society described
their experience being the first domain name to sign their zone when
the .ORG TLD went live with signed delegations.
Two essential points were made during the discussion between the
panelists and the workshop participants. First, planning is
essential. In order to ensure a seamless transition that moves a
TLD from unsigned to signed with no loss of service, registries must
develop a plan and execute according to that plan. There is now a
lot of resources with various suggestions about how to deploy
DNSSEC. A careful study of the experiences of others will