In the 10 days since the Internet’s root zone was signed, DNSSEC-related activity’s been reported in commercial, non-profit and government circles, including these announcements:

• The White House called the root signing ” an Internet security upgrade that is important not only for its practical, day-to-day value in blocking a class of online threats, but also for demonstrating that the cooperative, private-sector-led, standards-based model of Internet architecture remains vital and effective.” Announcements from Verisign, the U.S. Department of Commerce and ICANN also followed the signing.
• Comcast noted the signed root, and announced “the deployment of the DNS root key to all of our DNSSEC trial servers across the country,” alerting Comcast customers that they can start using its trial servers immediately.
• .org announced that Go Daddy, Dyndns.com and NamesBeyond now support DNSSEC-Signed .org  domain names.  CEO Alexa Raad said the move “will take widespread DNSSEC adoption to the next level.”

Culminating years of effort on the part of many public and private organizations and individuals, ICANN has now confirmed the root zone is signed and available, and has published the root zone trust anchor so that root operators can begin to serve the signed root zone with actual keys. Initiative partner and Shinkuro CEO Steve Crocker said:

This is a very special day.  Very, very many people, working for many years all over the world made this day possible.  Like the golden spike that completed the first transcontinental railroad in the United States, the signing of the root completes the basic platform for building new levels of trust on the Internet.

“DNSSEC Decoded,” a half-day seminar sponsored by Secure64, will take place July 27 from 8:30 a.m. to 11:30 a.m. in Washington, DC, at the International Spy Museum’s Zola Restaurant.

Speakers include Initiative partner and NIST computer scientist Scott Rose and Microsoft Federal Group Chief Security Officer Bill Billings.  Breakfast is included in the event, and the speakers will discuss why U.S. federal agencies’ internal networks are targets for theft of confidential information; how DNSSEC protects internal and external domains from hijacking; DNSSEC deployment requirements and FISMA requirements that pertain to DNSSEC; and case studies from other federal agencies.  Seating is limited; you also may listen to a recording of the event with the chance to ask questions of the speakers.

U.S. Commerce Secretary Gary Locke yesterday addressed a meeting of the federal agencies participating in a government-wide cybersecurity policy review, citing DNSSEC as a significant accomplishment in securing the Internet, on the eve of the signing of the root zone.  His remarks included these words:

One of the Commerce Department’s most important accomplishments will go into effect tomorrow when DNSSEC is deployed at the root of the Domain Name System.

This action will essentially give a “tamper proof seal” to the address book of the Internet – a seal that gives Internet users confidence in their online experience.

And I’d like to thank the Department’s partners in this effort — the Internet Corporation for Assigned Names and Numbers, and VeriSign.  This effort is an excellent example of public – private cooperation, which included extensive domestic and international community consultation. 

ICANN will live-stream the key signing key ceremony in Los Angeles, in preparation for putting the DNSSEC-signed root zone into production later this week.  Find the stream here, starting at 2000 UTC; a full agenda appears here.  Read about the first KSK ceremony in Virginia here.

In DNSSEC Deployment Among ISPs: The Why, How and What, Lauren Price of .org interviews “the DNS gurus at Comcast to see what they’ve learned and what advice they would give other ISPs considering DNSSEC deployment.” The post answers such questions as “What is the benefit to an end user when an ISP supports DNSSEC?” and “What advice would you give other ISPs?”  Specific lessons from Comcast’s testing of DNSSEC are included.

Members of the DNSSEC Deployment Coordination Initiative will move from the ICANN meeting in Brussels to a special two-day DNSSEC Awareness and Planning Workshop in Rome on June 30 and 31.  The workshop, to be held at the Global Cyber Security Center as its first major initiative, intends to “promote the adoption of DNSSEC globally, with a focus on key sectors in Italy and in neighboring countries in Europe, the Middle East and North Africa.”  Speakers will share experiences from Italy, Sweden, the United Kingdom, the Czech Republic, Portugal, the United States and more.

(Editor’s note:  In this post, Russ Mundy, principal networking scientist at Cobham Analytic Solutions and member of the ICANN Security and Stability Advisory Committee, reflects on this week’s DNSSEC workshop at the ICANN meeting.  A longtime participant in the global effort to move DNSSEC to deployment, Mundy is among the partners in the DNSSEC Deployment Coordination Initiative.)

Wednesday at the Brussels ICANN meeting was an exciting day for folks interested in DNSSEC deployment. There had been quite a build up for the DNSSEC Workshop including remarks by ICANN CEO, Rod Beckstrom, in his opening speech for the Brussels meeting.

There were over thirty presenters and panelists from around the globe that contributed their experiences, issues and ideas related to deployment of DNSSEC. A panel format was used to lead both in-room and remote discussions. The panels included Registry and Registrar issues, ISP and Resolver issues, Tools for DNSSEC, presentations of activities from around the region (even a few t-shirts handed out) as well as presentations on signing of the root zone. As noted in other blog entries, there were a number of DNSSEC announcements made at and around the workshop that further added to the enthusiasm and excitement.

This workshop had another milestone in that eight organizations agreed to sponsor lunch for workshop participants. So, the workshop participants received a sizable dose of DNSSEC and a free lunch.

I’m not sure who started the phrase “This is the end of the beginning for DNSSEC” but I heard it from a number of people. Almost as if to drive the point home to this humble DNSSEC enthusiast, I found that the Internet service provider for the hotel where I stayed for the meeting manipulated DNS such that I was not able to use DNSSEC at all
from my hotel room. These are, indeed, exciting times for DNSSEC deployment but there are still many things that need to be done by many people and organizations to make DNSSEC ubiquitous – but it sure is nice to have reached the “end of the beginning.”

ICANN has begun the process of putting delegation signer (DS) records into the root zone for those top-level domains (TLDs) that have signed their zones.  By the time the root is signed with a live key in mid-July, the root should be populated with the DS records of all of the TLDs that have signed their zones.  The process began this week with the DS records for Brazil (.br), the Czech Republic (.cz) and the United Kingdom (.uk); all three are now visible in the root zone.  Go here for a useful table showing the status of TLD deployment of DNSSEC.

Steve Crocker and Alexa Raad at ICANN press conference

As the ICANN Brussels meeting continues, here are more updates on DNSSEC-related activities and announcements happening there:

• Full details from the ICANN/.org joint announcement that the generic top-level domain is the first to fully deploy DNSSEC are now available, including the news release, video and photos of the news conference.
• Yesterday’s DNSSEC workshop now can be reviewed in online presentations, a transcript, and archived virtual meeting room files you can download.
• In “DNSSEC Becomes a Reality Today at ICANN Brussels,”   Afilias executive vice president and CTO Ram Mohan reports that more than two dozen organizations’ DNSSEC efforts were presented yesterday. He noted that among yesterday’s announcements, “Go Daddy publicized its commitment to DNSSEC at the ICANN meeting, telling a crowded meeting hall that it will offer a managed DNSSEC service to its customers later this year. An additional 11 registrars have completed operational testing to offer DNSSEC-signed .ORG domains to their customers.”