March 22, 2012 archive

Whitepaper: Challenges and Opportunities in Deploying DNSSEC


At the SATIN 2012 conference on March 23, 2012, the Internet Society’s Dan York spoke about a paper that he and other members of the Internet Society staff developed outlining some of the challenges with DNSSEC deployment and identifying opportunities to simplify the user experience to accelerate DNSSEC deployment. The document is now available for download at:

Challenges and Opportunities in Deploying DNSSEC (SATIN 2012)

The document lays out the challenges and opportunities for:

  • Domain name consumers - any person or application that is using a domain name.
  • Domain name holders - people or organizations who have registered a domain and, in the context of DNSSEC, want to sign the domain.
  • Domain name infrastructure operators - people or organizations that provide the actual service behind the Domain Name System and have a role to play in the DNSSEC signing and validation processes.

Within each section, there are multiple subsections with specific examples.  The document concludes with some thoughts about additional opportunities to accelerate DNSSEC deployment and a lengthy list of resources for further exploration of the topic.

Our goal is that this document can stimulate further discussion about these points and lead to solutions that move DNSSEC deployment further.  We also will be using it within the Deploy360 Programme to identify areas where we need to add more DNSSEC resources to the site.

We welcome any and all feedback and comments, either directly here as comments to this page or sent to us via email or our web form.

Whitepaper: .SE Health Status Report on DNS and DNSSEC

This week the folks at .SE in Sweden released a report full of DNS and DNSSEC information and statistics related to .SE at:

.SE Health Status – DNS and DNSSEC (PDF)

Today at the SATIN 2012 event in London, Anne-Marie Eklund Löwinder from .SE discussed many of the statistics and information contained in the report.    She highlighted many of the major errors they’ve seen and provided an intriguing view into how DNSSEC is actually being deployed in terms of key lengths, encryption algorithms, etc.

At the time of the analysis in early February, .SE had 174,487 domains signed with DNSSEC out of a total of 1,195,719 registered domains.  The document contains a number of interesting charts and other data.

While this report is obviously about a single top-level-domain, it provides interesting insight into DNS and DNSSEC deployment.  Sweden has been a leader in DNSSEC deployment and we look forward to seeing future surveys and the continued growth in signed domains.  Thanks to the .SE team for providing this data to the larger community.

P.S. Want to learn more about how to deploy DNSSEC?  View our list of DNSSEC resources to get started!

Video: Dan York on why Deploy360 was at ICANN43

Why was I (Dan York) at ICANN 43 last week in Costa Rica? While I was at the event, a gent named Glenn McKnight was going around recording videos of various attendees talking about why they were attending ICANN 43. Naturally I was glad to speak to him about the DNSSEC Deployment Workshop and my interest there. Glen is now putting those videos online, and my video interview is available.

(Note: The video interview is only 1 minute 47 seconds long, not the 6:49 shown when you start the video.  The remaining 5 minutes seems to be an entirely black screen. Not sure what happened there.)

Thanks, Glen, for recording the interview!