Archive for category Uncategorized

Call for Participation – DNSSEC Workshop at ICANN65, Marrakech, Morocco

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop during the ICANN65 meeting held from 24-27 June 2019 in Marrakech, Morocco.  The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments.  For reference, the most recent session was held at the ICANN Community Forum in Kobe, Japan on 13 March 2019. The presentations and transcripts are available at:,and  

The DNSSEC Workshop Program Committee is developing a 3-hour program.  Proposals will be considered for the following topic areas and included if space permits.  In addition, we welcome suggestions for additional topics either for inclusion in the ICANN65 workshop, or for consideration for future workshops. 

1.  DNSSEC Activities Panel (Regional and global)

For this panel, we are seeking participation from those who have been involved in DNSSEC deployment in the region and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment, including Root Key Signing Key (KSK) Rollover activities.   Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you. 

2. DNSSEC Deployment Challenges

The program committee is seeking input from those that are interested in implementation of DNSSEC but have general or particular concerns with DNSSEC.  In particular, we are seeking input from individuals that would be willing to participate in a panel that would discuss questions of the nature:

  • Are there any policies directly or indirectly impeding your DNSSEC deployment? (RRR model, CDS/CDNSKEY automation)
  • What are your most significant concerns with DNSSEC, e.g., complexity, training, implementation, operation or something else?
  • What do you expect DNSSEC to do for you and what doesn’t it do?
  • What do you see as the most important trade-offs with respect to doing or not doing DNSSEC? 

We are interested in presentations related to any aspect of DNSSEC such as zone signing, DNS response validation, applications use of DNSSEC, registry/registrar DNSSEC activities, etc. 

 In addition, we welcome suggestions for additional topics. 

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to dnssec-marrakech@isoc.orgby **Friday, 31 May 2019** 

Thank you,
Kathy and Julie

On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, Chinese Academy of Sciences (CAS)
Russ Mundy, Parsons
Ondrej Filip, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society 

No Comments

Is my web site being used via a DNSSEC-validator?

In the past, we’ve described how the graphic at the top of the  DNSSEC Deployment web site let you know if you’re validating or not.

Now, Jan-Piet Mens has posted an article on how he implemented this for his web site and how you can replicate his work with his code.  Thanks, Jan-Piet!




No Comments

What’s *not* Changed in a Year

A minor (personal) milestone — I’ve collected DNSSEC data for the root and TLDs for 366 days (1 year because of the leap day).  During the collection I’ve done periodic analysis to see how DNSSEC is being driven by experts and have given a number of presentations on what’s been happening.  How DNSSEC is being run?  How do the operations differ from what the protocol engineers and RFC writers forecasted?  There are presentations in the archives for APRICOT, ICANN, IEPG, RIPE and CENTR meetings that have been held this past winter and spring that cover these questions from different angles.

Now, at the one year mark, for fun, a look at what’s not changed.

Not so noteworthy, because KSK’s are expected to be used on the order of years, these records have been a constant:

  • 70 DNSKEY records holding SEP/KSK’s
  • 44 DNSKEY RRSIG records, usually signed by SEP/KSK’s
  • 46 DS records in the root

But these fairly noteworthy:

  • 6 RRSIG records for NSEC/NSEC3PARAM and SOA
  • 9 DNSKEY records holding ZSK’s (not alarming, but…)
  • 40 NSEC3PARAM – specifically 40 unchanged salts

First an explanation is needed (as usual when analyzing any set of data) – when I write that an RRSIG is unchanged, that refers to the signed-by fields and not the signature payload itself.  The TLDs are refreshing signatures as needed, but when the key isn’t changed (as well as some other parameters) my analysis considers the RRSIG to be the same.

What this analysis says is that there are 6 TLDs that have used a ZSK for a full year to generate signatures. Each of the 6 keys is RSA-SHA1 and 1024 bits long. So some are challenging the (“CW”) notion that long lived keys will break. Publishing a ZSK for a year (per se) is not risky, but it shows that at least 9 ZSK’s have a longer lifetime that expected.

Besides the 6 ZSK keys that signed every day, the other three, two never generated signatures and one did so over about a 9 month period.

The 40 unchanged NSEC3PARAM records indicate that 40 TLDs have run NSEC3 for a year (plus) and have not changed the salt (as opposed to the 4 TLDs that change the salt daily or nearly daily).  The RFC recommends “with every signing” but few do “batch” signing anymore.

Final note – these counts do not cover the TLDs that have begun operations within the past 366 days.

Ed Lewis

Director, Member of Technical Staff at Neustar

No Comments

DNSSEC at the Pub

As seen on the DNSSEC Deployment Working Group email list:

Invitation to Informal Gathering of DNSSEC Implementers in Prague 26 June

On behalf of the DNSSEC Deployment Initiative and CZ.NIC, DNSSEC Implementers are invited to attend an informal gathering to discuss and exchange information on their DNSSEC implementation experiences during the ICANN meeting in Prague, Czech Republic. This is a unique opportunity to meet with and talk to key implementers, such as CZ.NIC, Nominet UK, ISC, IIS Sweden, and others. We do ask that in order to participate you should come prepared to say a few words about your experiences. This is a peer-to-peer event for implementers.

Where: Pivovarsky klub

When: Tuesday, 26 June 2012, 6:00 to 8:00 pm

Note that this event is in addition to the other DNSSEC events scheduled during the ICANN meeting. These are:

Monday, 25 June: 4:00-5:30 pm — DNSSEC for Everybody – Roma, Details:

Wednesday, 27 June: 8:30 am to 1:45 pm — DNSSEC Workshop at ICANN Meeting – Congress I, Details:

**Please RSVP to no later than Friday, 22 June if you would like to attend.**

Best regards,

Julie Hedlund

On behalf of Ondřej Surý, CZ.NIC and Steve Crocker and Russ Mundy for the DNSSEC Deployment Initiative

No Comments

DNSSEC Workshop at ICANN 44

As with other recent ICANN meetings, there will be a DNSSEC workshop at ICANN 44.  The workshop will be held on Wednesday, 27 June 2012 from 08:30 until 13:45 CEST (UTC/GMT +2 hours).   Remote participation is available for the meeting.

The agenda for the meeting as it currently stands:

1. Introduction and Presentation: DNSSEC Deployment Around the World: Steve Crocker, Shinkuro

2.  DNSSEC activities in Europe

3. ISPs and Validation

4. The realities of running DNSSEC

5. DNSSEC and Enterprise Activities

6. DANE and other DNSSEC applications

7. The Great DNSSEC Panel Quiz


No Comments

The Legend of DNSSEC

We’ve taken to putting up animated maps of DNSSEC adoption in country code TLDs (ccTLDs) every few months (6 March 2012, 4 June 2012).   One question we get is,  “So, what does the legend in the maps we produce indicate?”  From the past through the date of the map, the following are from observation.  For dates beyond the date of the map, the following are either an extension of the observation or based on stated plans.

  • Experimental  (yellow) — We have reason to believe that the ccTLD is (or will be) experimenting with DNSSEC.
  • Announced (orange) — The ccTLD has announced that they will support DNSSEC.
  • Partial (green)  — The ccTLD has signed their zone, but has not yet passed DS records up to the root and may or may not be accepting signed delegations.
  • DS in Root (blue) — The ccTLS is signed  and DS records for its KSKs are (or will be)  in the root zone, but it is not yet accepting signed delegations.
  • Operational (red) — The ccTLD is signed, it has DS records in the root, and it is accepting signed delegations (DS records from child zones).

We can and do identify current Partial and DS in Root statuses programatically.  Everything else needs human input.  Specifically, your input sent to info @

No Comments

DNSSEC in ccTLDs, Past, Present, and Future

This animated GIF shows announced, estimated, and actual DNSSEC adoption by ccTLDs from January 2006 through July 2014 as of 4 June 2012.  The map is a work in progress.  We’re pretty sure about the past and present.    If you manage a ccTLD and have a schedule for deployment or have updates/corrections, let us know at info @  We’d like to see a more colorful, even completely red, map in the future

No Comments

SIDN announces DNSSEC operational for .NL

SIDN logo

Today, SIDN, the Foundation for Internet Domain Registration in the Netherlands, announced that DNSSEC is operational for the .NL ccTLD (English translation here).  The announcement identifies nine registrars offering DNSSEC support for .NL as of today.

“SIDN is committed to making the internet more secure. And we regard DNSSEC as an important tool for achieving enhanced DNS security,” said Roelof Meijer, SIDN’s CEO

No Comments

DNSSEC makes its debut at NCCDC

NCCDC logo

Congratulations to the University of Washington, which took first place at the National Collegiate Cyber Defense Competition (NCCDC) in April—the first to emphasize the use of DNSSEC in its challenges.

Each year, the NCCDC tasks teams of collegiate programmers with defending business networks just as in real life, while Red Teams try to penetrate them. This year’s competition involved 126 schools and over 1,500 competitors.  Thanks to input from the DHS S&T Directorate, it marked the first time teams were asked to not only sign the zones on their DNS servers, but re-sign them as if they’d migrated their DNS services to a different operating system or application software.

According to organizer Dwayne Williams, roughly 80% of the competitors had heard of DNSSEC before, but less than 10% had ever actually used or implemented it prior to NCCDC. While two of the teams noted that they would like to see simpler, step-by-step instructions for implementing DNSSEC, all of the teams ultimately thought DNSSEC was a technology they planned to look at more in the future.

Overall team reaction was positive and Dwayne Williams notes that the NCCDC succeeded in introducing DNSSEC to all competitors and making them aware of some of its fundamental capabilities.


No Comments

LISA ’12 Call for Participation

Lisa '12 CFP

There are still a couple weeks left to submit your DNSSEC  papers, etc. to LISA ’12.  This, the Usenix Association‘s 26th Large Installation System Administration Conference,  will be held December 9-12, 2012 in San Diego, California.    General conference information is here.

No Comments