Guest post (Jacques Latour): DNSSEC update

UncategorizedOne Comment

Jacques Latour, CIRA’s Director, Information Technology, updates CIRA’s progress on DNSSEC in this post.

This week, we reached a major milestone in implementing DNSSEC in .CA. On January 21, CIRA published a signed .CA zone file. We have also submitted the .CA DS record to the Internet Assigned Numbers Authority (IANA).

DNSSEC is an important set of extensions that provide an extra layer of security to the domain name system (DNS). It’s implementation is critical to ensure the continued safety and security of .CA. 

We wanted to create a comprehensive DNSSEC validation process, so we took a different approach to sign .CA that takes into account several known DNSSEC-related issues that affect its operation. Our approach addresses these issues, and we believe we have developed a resilient solution that will result in high availability/no outages.

We created dual independent signing engines using Bind and OpenDNSSEC. There were a few challenges along the way. For example, Bind and OpenDNSSEC produce different, although valid signed zone files and both handle signing differently. These challenges, though, were worth overcoming. The end product will not only be an improved system for .CA, but we’re blazing a new trail here – the global Internet community will benefit from this work. 

This milestone is the result of almost a year’s work, starting with the release of our DNSSEC Practice Statement for comment in February 2012. This document provides an operational outline of how we plan to develop, maintain and manage DNSSEC deployment for .CA. In September 2012, we held a key signing ceremony at our Ottawa office. At this ceremony, the cryptographic digital key that is used to secure the .CA zone was generated.

These steps provided the foundation for the next phase of our work, the publishing of the .CA zone file, which was completed this week. The next phase of CIRA’s work in implementing DNSSEC is to make the necessary upgrades to ready the registry system for transacting DNSSEC-enabled .CA domain names. We expect this work to be complete in 2014. Once complete, CIRA will be able to register DNSSEC-enabled .CA domain names. Our next steps also include working with the Canadian Internet community to get them onside to implement DNSSEC in their systems.

Once we have fully implemented DNSSEC, we will have reached a major milestone in ensuring .CA is among the safest top-level domains in the world.

Should you have questions or concerns please do not hesitate to contact cira-dnssec@cira.ca.