From your second link there is a PDF survey in the footnotes that is an interesting read as well.
|If you have not implemented DNSSEC, do you plan to? |
Many of the registries who replied "No" mentioned that although the registry doesn't plan implementing DNSSEC at the moment, they know it is important and that it will probably happen at some point in the future. Some of them also mentioned that some existing problems first need to be solved – such as Zone Walking, or having an IETF standard developed. A few also stated they don't see a point in implementing DNSSEC as long as the root has not been signed.
Those that have implemented DNSSEC were asked to please briefly describe the technical environment used:
|A summarising overview shows that some were doing fully manual signing, however most had developed systems to help sign their zones. |
So the process can be automated by the sounds of it. Could one assume that there should be no additional expenses upon full implementation of DNSSEC?
I couldn't answer for the expense involved, I doubt it's negligible but I also doubt it is overly onerous either, especially compared to the costs of not implementing a more secure DNS solution. The fundamentals of the current DNS system remain intact. The raison-d'ętre of DNSSEC is simply the use of digital signatures (not to be confused with encryption) which enable users to authenticate the data against a public key, rather than the current open architecture. DNSSEC is a leap forward in preventing problems such as DNS cache poisoning. The whole process can be automated, and many registries are already implementing DNSSEC to create a chain of trust from the root up, via the registries, to the client.
The news that ICANN are moving towards DNSSEC for the root zone follows announcements by PIR regarding the successful implementation of DNSSEC for the .org registry:
.ORG is the First Open Top-Level Domain to be Signed with Domain Name Security Extensions [pir.org]
|Today, .ORG (...) is the first open generic Top-Level Domain to successfully sign the .ORG zone file with Domain Name Security Extensions (DNSSEC). To date, the .ORG zone is the largest domain registry to implement the security measure. |
"We feel that implementing DNSSEC is a fundamental step in the upgrade of Internet security and stability," says Alexa Raad, CEO of .ORG, The Public Interest Registry. "With continuing growth of the Internet and the increasing number of applications depending on the DNS, this is a critical step in the evolution of the Internet."
A good site to read up about DNSSEC is the DNSSEC Deployment Initiative [dnssec-deployment.org].
|and many registries are already implementing DNSSEC to create a chain of trust from the root up, via the registries |
Precisely. This is where I was wondering if this was going to be something we would need to be concerned about during domain registration. I don't think so. Expenses look negligible to me, from the quoted responses in the same pdf survey mentioned earlier at least.