Category: maps

Madagascar Signs .MG With DNSSEC As Part Of “Internet Day”

Madagascar DNSSEC

Last week the island country of Madagascar became the latest country-code top-level domain (ccTLD) to sign their .MG domain with DNSSEC.  As we note in the steps for signing a domain, having a signed TLD is critical so that your domain can tie into the global “chain of trust” that provides the added security of DNSSEC.

Now that this step has been completed, the next steps will involve the registrars and DNS hosting providers for .MG domains making DNSSEC signing accessible to .MG domain registrants.

I’ll note that the DNSSEC signing of .MG was part of a broader set of activities that took place on March 17, 2016, as part of “Internet Day 2016” withing Madagascar.  My colleague Michuki Mwangi was there and wrote about the activities that also included the launch of an Internet exchange point (IXP).  Judging by his photos, it looks like an interesting event!

We congratulate the .MG team for the signing!  It’s great to see the Africa part of our DNSSEC Deployment Maps get a bit more green – and we look forward to seeing even more ccTLDs sign their domains.

If you are interested in gaining the added level of trust in your domain that comes with DNSSEC, please visit our Start Here page to begin!

P.S. Madagascar will start appearing in our weekly DNSSEC deployment maps as green beginning next Monday, March 28, 2016.

DNSSEC and DANE Activities at ICANN 55 and Africa DNS Forum in Marrakech March 5-10

ICANN 55 logoStarting this Friday, March 5, I’ll be in Marrakech, Morocco, for a great bit of DNS security discussions at two events:  the Africa DNS Forum 2016 and the 55th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN).

Some great introductions to DNSSEC and DANE – and some outstanding technical presentations on Wednesday.  Two important changes from previous ICANN meetings:

  1. The “DNSSEC For Everybody” tutorial is now on Sunday instead of the usual Monday.
  2. The “DNSSEC Workshop” will be live streamed over YouTube in addition to the usual Adobe Connect (links are included below).

You can also follow along live on most social networks using these hashtags: #AfricaDNSForum, #ICANN55, #DNSSEC.

I also note at the end of the schedule below that I’ll be briefing ICANN staff and interested board members about the MANRS initiative to secure BGP and reduce IP spoofing as part of the Technical Experts Group (TEG) meeting at ICANN 55.

In addition to all of this technical and security work happening at ICANN 55, we at the Internet Society will also be extremely focused on the IANA Stewardship Transition process.  Please read this post from my colleague Konstantinos Komaitis where he explains why this upcoming meeting will be such a critical milestone.

Here are the  main activities – remote participation is available for all of them except one. Do note that all times are Western European Time (WET) which is the same as UTC.


Africa DNS Forum: Panel on DNS Tools

On Saturday, March 5, from 14:00 – 15:30 I will be talking about DNSSEC and DANE in a panel about “DNS and Internet Security Tools: DNSSEC, IPv6 and DANE“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016


Africa DNS Forum: Panel on emerging trends in DNS security

On Sunday, March 6, from 11:00 – 12:45 my colleague Michuki Mwangi will be moderating a panel on “Emerging Trends in DNS Security“. The live stream will be available at:
http://livestream.com/internetsociety/africadnsforum2016

I will be in the audience listening to what looks to be a great set of panelists.


DNSSEC For Everybody: A Beginner’s Guide

On Sunday, March 6, we’ll have the regular “DNSSEC For Everybody: A Beginner’s Guide” session from 16:45 – 18:15  where we’ll do our “skit” dramatizing DNS and DNSSEC. If you have been seeking to understand WHY this all matters, do join in to see! You can watch it remotely (or watch the archive later) at:

https://meetings.icann.org/en/marrakech55/schedule/sun-dnssec-everybody

And yes, I’ll be talking about blue smoke as I usually do – and this time I get to have a role in the skit!

NOTE: This session has historically taken place on the Monday afternoon of each ICANN meeting, but it was changed to Sunday as of this meeting as ICANN is in the process of consolidating tutorials on the Sunday of the event.


DNSSEC Implementers Gathering

On Monday, many of us who have been involved with deploying DNSSEC or DANE will travel to a nearby restaurant for the “DNSSEC Implementers Gathering” for food, drink and conversation from 19:00-20:00 IST.

Many thanks to Afilias for sponsoring the event.  This is the one event where there is no remote participation possible.


DNSSEC Workshop

As usual, the main event will be the DNSSEC Workshop on Wednesday, March 9, from 9:00 to 15:15 WET.

Remote participation information, slides, the agenda and more info can be found at:

https://meetings.icann.org/en/marrakech55/schedule/wed-dnssec

At the event the workshop will also be streamed live via YouTube at:

The sessions will be recorded on both YouTube and Adobe Connect if you would like to listen to them later. Slides will be posted to the workshop page before the event begins.

The current agenda includes:

0900-0915 – DNSSEC Workshop Introduction, Program, Deployment Around the World – Counts, Counts, Counts

  • Dan York, Internet Society
0915-0930 – Presentation: Update on the ‘Sunset’ of the DNSSEC Look-aside Validation Registry (DLV)

  • Victoria Risk, Internet Systems Consortium (ISC)
0930-1045 – Panel Discussion: DNSSEC Activities in the African Region

  • Moderator: Mark Elkins, DNS/ZACR
  • Panelists:
    • Alain Aina, AfriNIC
    • Landi Ahmed, KeNIC
    • Alex Corenthin and Khoudia Gueye Sy, .SN
    • Eberhard Lisse, .NA
1045-1100 – Break
1100-1130 –Presentation: DNSSEC SIGNER Switchover

  • Alain Aina, AfriNIC
1130-1200 – Presentation: DNSSEC At Scale

  • Dani Grant, Cloudflare
1200-1230 – Great DNS/DNSSEC Quiz

  • Dan York, Internet Society, presenting questions developed by Roy Ahrens, ICANN
1230-1315 – Lunch Break
1315-1415 – Panel Discussion: DNSSEC and Elliptic Curve Cryptography

  • Moderator and panelist: Dan York, Internet Society
  • Panelists:
    • Geoff Huston, APNIC
    • Jim Galvin, Afilias
    • Ólafur Guðmundsson, CloudFlare
    • Ondřej Surý, CZNIC
1415-1500 – Panel Discussion:  DNSSEC Root Key Signing Key (KSK) Rollover

  • Moderator: Russ Mundy, Parsons
  • Panelists
    • ICANN Root KSK Rollover Design Team members
    • Warren Kumari, Google
1500-1515 – Presentation: DNSSEC – How Can I Help?

  • Russ Mundy, Parsons and Dan York, Internet Society

ICANN Board with Technical Experts Group

After the 6+ hours of the DNSSEC Workshop are over, I’ll then head over to the meeting of the Technical Experts Group (TEG) from 15:30 – 17:00 where will I will be participating in the discussions meant to advise the ICANN staff and interested ICANN Board members about emerging trends in technology.  Toward the end of the session I will be presenting for about 15 minutes on the MANRS initiative to secure BGP and reduce IP spoofing in order to make the Internet’s routing infrastructure more resilient and secure.

Remote participation is available through the links found on the session page:

https://meetings.icann.org/en/marrakech55/schedule/wed-board-technical


If you will be there at either the Africa DNS Forum 2016 or  ICANN 55 please do say hello – you can find me in these sessions… or drop me a note at york@isoc.org and we can arrange a time to connect.

And … if you want to get started with DNSSEC and DANE, please visit our Start Here page to find resources that can help!

Updated DNSSEC Deployment Maps Available on Deploy360

DNSSEC deployment map

Today I’ve updated the page showing DNSSEC Deployment Maps over on the Deploy360 site.  The maps are generated each Monday and sent to a mailing list (to which you can subscribe) and the latest versions are always available in the mailing list archives.  However, from time to time I update the page to show the latest maps so that people can easily find them.

By the way, the latest ccTLD to sign with DNSSEC was Azerbaijan’s .AZ domain!

Azerbaijan (.AZ) Becomes Latest ccTLD To Sign With DNSSEC

Azerbaijan signs .AZ with DNSSEC

Earlier this month Azerbaijan’s .AZ became the latest country-code top-level domain (ccTLD) to sign the domain with DNSSEC and complete the first step in allowing all domains underneath .AZ to obtain the higher level of security possible with DNSSEC.    This is, of course, just the first step.  As we outline in our tutorial, the next steps are that registrars and DNS hosting providers for .AZ need to now support the DNSSEC-signing of domains.  But it’s a good step to see!

We saw this signing come through on Rick Lamb’s DNSSEC Deployment Report and could easily verify it on the command-line using the command “dig dnskey az.” which shows the relevant DNSKEY records. (As well as “dig ds az.” that shows the existence of the DS record.)

A great step forward for Azerbaijan – and we look forward to seeing even more of the countries on our DNSSEC Deployment Maps filled in with green over the months ahead!

If you want to get started with DNSSEC, please visit our Start Here page to begin!

Congratulations to Uruguay on signing .UY with DNSSEC!

map of South America

Last week Uruguay became the latest country to sign their country-code top-level domain (ccTLD) with DNSSEC!  With that change, the DNSSEC deployment map for the Latin American region gets just that much greener.  And now, everyone using a .UY domain will potentially be able to benefit from the increased security and trust provided by DNSSEC – and also to make use of newer innovations such as DANE.  I say “potentially” only because having the TLD signed is just the first step in the process of signing your domain – you still need your domain name registrar and your DNS hosting provider (which might be your registrar) to support DNSSEC.  However, this is a great step forward for Uruguay and shows the continued deployment of DNSSEC around the world.

Congrats to the team at Servicio Central de Informatica (SECIU) who made this happen!

If you would like to learn about how you can secure your domain with DNSSEC (whether you are in Uruguay or anywhere else in the world), please visit our Start Here page to begin…

Congratulations to Argentina On DNSSEC-Signing of .AR!

Congratulations to Argentina on becoming the latest country to sign their country-code top-level-domain (ccTLD), with DNSSEC!  Today we are very pleased to update our DNSSEC Deployment Maps and give Argentina a shade of green for .AR!  Here’s how the maps looked between last Monday and today:

Argentina and DNSSEC

Awesome to see!

And obviously perfect timing for the ICANN 53 meeting next week in Buenos Aires where we’ll be talking all about DNSSEC at numerous sessions!

Congratulations to the whole team at NIC.AR for making this happen. Now all the people who register domains underneath .AR will at least have the possibility of adding the layer of security and trust that DNSSEC can provide. They will also be able to potentially use DANE and other new innovations that build upon DNSSEC.

The next step, of course, is for the registrars and DNS hosting providers who support .AR domains to allow registrants to use DNSSEC.  But that wouldn’t be possible without this first step of signing the .AR ccTLD.

Congrats and we’re looking forward to celebrating with the NIC.AR team in Buenos Aires!

P.S. If you would like to get started with DNSSEC, please visit our Start Here page to learn how to begin!   And if you would like to receive our weekly DNSSEC deployment maps, we have information about how you can subscribe.

New DNSSEC Deployment Map Available In Global Internet Maps

Our DNSSEC Deployment Maps are now also available as part of a larger set of Global Internet Maps produced as part of our annual Global Internet Report.  My colleague Michael Kende wrote about these new maps earlier this month and explained a bit about them. This new DNSSEC deployment map is rather fun in that it is interactive and you can zoom around and hover over any country to see what stage the country code top-level domain (ccTLD) is at.  This map is based off of the 5 stages of DNSSEC deployment that we track as part of the weekly DNSSEC deployment maps we generate. (Click/tap the image to go to the site.)

DNSSEC maps in Global Internet Report

One note of caution – these Global Internet Maps are only updated periodically and so that DNSSEC deployment map will not necessarily be as up-to-date with ccTLDs as the weekly DNSSEC Deployment Maps.  The best place to get the most current maps is the archive of the dnssec-maps mailing list.  New maps get generated every Monday morning.

However, the Global Internet Map is current now (March 2015) with regard to ccTLDs – and it’s a very nice view of where we need to have more ccTLDs signed with DNSSEC.  Please do enjoy using it – while you are there, please do explore all the other maps that are made available.  These kind of visualizations are great to see!

The post New DNSSEC Deployment Map Available In Global Internet Maps appeared first on Internet Society.

New DNSSEC Deployment Map Available In Global Internet Maps

Our DNSSEC Deployment Maps are now also available as part of a larger set of Global Internet Maps produced as part of our annual Global Internet Report.  My colleague Michael Kende wrote about these new maps earlier this month and explained a bit about them. This new DNSSEC deployment map is rather fun in that it is interactive and you can zoom around and hover over any country to see what stage the country code top-level domain (ccTLD) is at.  This map is based off of the 5 stages of DNSSEC deployment that we track as part of the weekly DNSSEC deployment maps we generate. (Click/tap the image to go to the site.)

DNSSEC maps in Global Internet Report

One note of caution – these Global Internet Maps are only updated periodically and so that DNSSEC deployment map will not necessarily be as up-to-date with ccTLDs as the weekly DNSSEC Deployment Maps.  The best place to get the most current maps is the archive of the dnssec-maps mailing list.  New maps get generated every Monday morning.

However, the Global Internet Map is current now (March 2015) with regard to ccTLDs – and it’s a very nice view of where we need to have more ccTLDs signed with DNSSEC.  Please do enjoy using it – while you are there, please do explore all the other maps that are made available.  These kind of visualizations are great to see!

Middle East DNS Forum Covers DNSSEC – Let’s Fill In The Map!

Over in Amman, Jordon, today our Internet Society colleague Frédéric Donck gave a keynote address at the Middle East DNS Forum where I know he was planning to speak about DNSSEC and our interest in advancing the deployment so that together we can make the Internet more secure via a more secure DNS infrastructure. (His talk was also going to cover Internet governance and infrastructure development topics.)  The folks at the Middle East DNS Forum were kind enough to tweet out a photo of Frédéric in action:

Middle East DNS Forum

In preparation for his presentation at the meeting, I provided Frédéric with a snapshot of our weekly DNSSEC Deployment Maps for the Middle East region (the colors represent the 5 stages of DNSSEC deployment):

dnssec-middle-east-march2015

As you can see, there’s definitely room to have more of the country-code top-level domains (ccTLDs) signed in the region.  From what the database shows, I have this information:

  • Lebanon has signed .LB and the DS record is in the root of DNS.
  • Afghanistan has signed .AF and the DS record is in the root of DNS.
  • Turkey (.TR) is “Announced” because a representative of the registry contacted me with their plans ( and they publicly announced their plans at the ICANN Turkey DNS Forum in November 2014).
  • Israel is in the “Announced” state because a representative of the .IL registry contacted me with their plans.
  • Iraq (.IQ) and Iran (.IR) are in “Experimental” because activity was observed a few years back.

For Lebanon and Afghanistan, they could be in the “Operational” stage and be accepting DS records from domain registrants.  We just don’t know because we have no way to find out unless either: 1) someone from the registry tells us (and I haven’t yet tried to contact these ccTLDs to know); or 2) someone who has registered a domain in those ccTLDs lets us know.

Although the agenda of the Middle East DNS Forum is mostly not about technical topics, I do hope Frédéric’s discussion will ignite some interest and we can start seeing the Middle East region joining the rest of the world in providing a way to secure the integrity of DNS information within the ccTLDs.

In fact, if you are visiting our site as a result of that Forum, please do visit our Start Here page to find out how you can begin with DNSSEC – or please contact us so that we can help you find the appropriate resources.

Let’s fill in that map and get the whole region to be green!

P.S. If anyone has more information about the DNSSEC deployment status of ccTLDs in that region, please do let me know – I’d be glad to update the maps.

Over 600 Top-Level Domains Now Signed With DNSSEC

As I was entering in data for the weekly DNSSEC Deployment Maps, I was struck by the fact that we are now at the point where 615 of the 793 top-level domains (TLDs) are now signed with DNSSEC. You can see this easily at Rick Lamb’s DNSSEC statistics site:

DNSSEC statistics

This represents 77% of all current TLDs!

Now, granted, most of that amazing growth in the chart is because all of the “new generic TLDs” (newgTLDs) are required to be signed with DNSSEC, but we are still seeing solid growth around the world.  If you look at the most recent DNSSEC Deployment Maps you can see that much of the world is being shown as “green” as more and more country-code Top Level Domains (ccTLDs) sign with DNSSEC:

ccTLD dnssec deployment map

Of course, having a TLD signed doesn’t mean that the second-level domains will be signed with DNSSEC. As various DNSSEC statistics sites will show, the percentage of signed second-level domains varies widely, from around 80% in .GOV down to tiny percentages in other TLDs.

BUT… the key point is that the first step in signing your domain is to be sure that your TLD is signed!

After the TLD has been signed, THEN steps can be taken to get more DNSSEC deployment happening underneath that TLD.  Look at how successful Norway has been with .NO after they recently signed the domain!

With some of the work that is happening via various DNSSEC Workshops,  ICANN’s DNSSEC training and other forums I know that we’ll see more and more of the TLDs being signed in the months ahead.  The excuse that “TLDs are not signed with DNSSEC” can no longer be used as an excuse for NOT working with DNSSEC and DANE!

Great to see!

P.S. If you want to get started with DNSSEC, please visit our Start Here page to find resources to help you begin.