Domain Name System Security Extensions (DNSSEC) is an important set of extensions that provide an extra layer of security to the domain name system (DNS). It helps to ensure that the websites that a user is expecting to be communicating with is in fact the correct one. When DNSSEC is properly implemented, it can help to prevent man-in-the-middle type attacks in the DNS infrastructure.
CIRA is committed to providing the Canadian Internet user with a safe, secure and trusted online experience, and DNSSEC is the next logical step in secure DNS services. The Registry, registrars and DNS hosting companies have taken a leadership role in enabling customers to be able to sign zones using DNSSEC. In addition to this important step, a number of other key factors are helping to drive a more secure Internet.
- IETF –The Internet Engineering Task Force’s (ITEF) DANE working group is using the DNS-based authentication of named entities (DANE) protocol to add more security to TLS/SSL connections. In addition, the Using TLS in Applications (UTA) working group is helping to guide developers in including additional security into applications.
- CSRIC III – The Communications Security, Reliability, and Interoperability Council (CSRIC III) continues to discuss and seek input on DNSSEC and other Internet security standards to help protect the Internet’s routing infrastructure.
- ISS – The Internet Systems Consortium and the software companies that support it have moved DNS signing and validation from a command line to a point-and-click activity to improve an error prone process.
- Country-level success – There are over 35 countries with a high penetration (defined as over 30 per cent) of DNS resolvers capable of DNSSEC validation. Our closest neighbor, the US is at 23 per cent and still ranking among global leaders.
DNSSEC Technical Resources