DNSSEC Gets Its Own Coalition - Page 2
Page 2 of 2
To date, VeriSign has not implemented DNSSEC on the production root servers for .com or .net, though VeriSign does have a test bed that it is currently running. The .org top level domain doesn't yet have DNSSEC deployed either, though the top level domain (TLD) is in the process of getting it deployed now with an initiative launched earlier this year. The DNSSEC Industry Coalition itself is actually being chaired by .org's CEO Alexa Raad.
For VeriSign, Kane argued the real heavy lifting of implementing DNSSEC isn't necessarily at the registry level where VeriSign sits but at the registrar level. Registrars are the organizations that actually deal with the domain owners.
"I've got 950 registrar customers that are going to have to carry and implement the heavy lifting," Kane said. "The registrars will have to manage the key process, they'll have to do the lion's share of the work to make this thing real. As infrastructure players, we can sign a zone and ISPs can act on the response that comes from a zone. But for a registrant to take their domain name and make sure it's DNSSEC enabled, they have to interact with their registrar."
Kane also noted that there are some 280 top level domains currently and it's important to make sure that the implementation for DNSSEC across them is similar, otherwise it will be very difficult for the registrars to implement.
"We're partly trying to make sure we make it simple, straight forward and financially feasible for the registrars to easy to implement DNSSEC as it comes to each top level domain that launches," Kane said.
For the ISC's Vixie the real barriers to adoption for DNSSEC involve a number of items. For one he stresses the need to get the root zone signed including .com for DNSSEC to function as it was intended. Getting the tools together to improve the usability of DNSSEC's tools and implementation is also key. That involves DNS servers like BIND as well as many other Internet ecosystem vendors.
"We need Apple, Red Hat, Microsoft, Ubuntu and all major wireless and wireline ISP's to support DNSSEC validation in their recursive name servers and clients," Vixie said. "And we need the DNS registrars and registries to fully support DNSSEC for all their domain holders, meaning that if a domain holder signs their zones they ought to be able to upload their public keys someplace."
All told, implementing DNSSEC will involve many stakeholders and some cost. VeriSign's Kane noted that there is encryption hardware and software to do key management that may be required as well as time and testing.
"When you're talking about changing the ecosystem wide fabric of DNS you have to involve ISPs, application developers, registrars, registries and registrants and do plenty of testing," Kane said. "DNS is a tool that people have come to treat like flipping a light switch. They expect it to be available and work. Testing will take the majority of the effort and time."
Article courtesy of InternetNews.com