IGF 2010 Workshop Report

 Deploying DNSSEC In A Territory
 James Galvin

Chair and Moderator: James Galvin, Afilias Limited - representing ICANN's Security and Stability Advisory Committee Dmitry Burkov, a Trusted Community Representative for the root signing process Nurani Nimpuno, netnod Peter Janssen, .EU Alexa Raad, Public Interest Registry Ondrej Filip, CZ NIC Sebastien Bellagamba, Internet Society


More than a dozen countries have now deployed DNSSEC in their TLD. With the root now signed and our collective experience at an all-time high, this is an opportunity to bring together the experiences of those who have deployed DNSSEC to share their lessons learned and to discuss what was necessary to successfully deploy DNSSEC. We had representatives from the complete chain of players involved in DNSSEC deployment, from the registrant who must elect to sign their own domain, through the registry, and the DNS operator who must support the deployment, to the Governments who must commit to the deployment of DNSSEC by setting the policy. The root zone has been signed and deployed since July 2010. We reviewed that success and the interactions between the root zone and countries, thus establishing the foundation we will have for a more secure Internet experience within a country and throughout the world. This workshop began with very short position statements from the panelists. The principal objective of this session was an interactive engagement with the attendees to discuss what is necessary in order to successfully deploy DNSSEC in their country.


DNSSEC Deployment Initiative: http://www.dnssec-deployment.org; Security and Stability Advisory Committee: http://www.icann.org/en/committees/security/; Internet Society: http://www.isoc.org; Root Server Operations: http://www.root-servers.org;


The Workshop began with a moderately detailed review of the history of DNSSEC, from its beginnings in 1993 through the evolution of the DNS during which it became a critical infrastructure protocol. Everything that we do on the Internet depends on the DNS. It is the foundation upon which all applications and services are built. Without the DNS virtually nothing would work. DNSSEC is an opportunity for the next evolutionary step in the Internet. It's an opportunity to provide the foundation for a new secure, a new safe Internet for everyone. With DNSSEC you get certain guarantees about the site that you're going to and the service that you're trying to communicate with. We need DNSSEC for the future. We need it for the next step of what the Internet will become moving forward. Like any new technology, DNSSEC requires preparation. While its deployment is relatively new we do have a lot of experience. The early adopters have a lot to offer from their experiences. There is a fair amount of free software out there, for those who want to engage in the deployment of DNSSEC on their own. There are a number of service providers who have services to offer to facilitate your deployment of DNSSEC. Beginning with the root, each panelist presented some moderately detailed summaries about their deployment experience. ICANN, along with their partners VeriSign and NTIA, are the keepers of the top of the chain of trust, probably the single most important point in the DNS hierarchy. They chose very high-end processes and procedures to manage the signing of the root, and they did so in a very open and transparent way including the entire Internet community in the process. Some very detailed statistics were presented clearly showing that with planning and careful execution the transition of the root zone, perhaps the most important zone in the DNS, from unsigned to signed could be executed without incident. Three top-level domain registries and one registry service provider provided a review of their experiences. Each included their specific recommendation for what worked for them. Finally, from a user perspective, the Internet Society described their experience being the first domain name to sign their zone when the .ORG TLD went live with signed delegations. Two essential points were made during the discussion between the panelists and the workshop participants. First, planning is essential. In order to ensure a seamless transition that moves a TLD from unsigned to signed with no loss of service, registries must develop a plan and execute according to that plan. There is now a lot of resources with various suggestions about how to deploy DNSSEC. A careful study of the experiences of others will fa...


The transcript for this session includes a great deal more detail and is recommended reading.