Canada Joins The DNSSEC World – Sign Your .CA, Eh?
Congratulations to our friends up North in Canada for the DNSSEC signing of the .CA domain, joining the ever-growing list of top-level domains (TLDs) that are securing their DNS records with DNSSEC! As Jacques Latour of the Canadian Internet Registration Authority (CIRA) outlined in a CIRA blog post they took some time to ensure their system was resilient:
We wanted to create a comprehensive DNSSEC validation process, so we took a different approach to sign .CA that takes into account several known DNSSEC-related issues that affect its operation. Our approach addresses these issues, and we believe we have developed a resilient solution that will result in high availability/no outages.
We created dual independent signing engines using Bind and OpenDNSSEC. There were a few challenges along the way. For example, Bind and OpenDNSSEC produce different, although valid signed zone files and both handle signing differently. These challenges, though, were worth overcoming. The end product will not only be an improved system for .CA, but we’re blazing a new trail here – the global Internet community will benefit from this work.
It’s great that CIRA went through this effort and we look forward to learning from them as they share more information about what they did.
Now, publishing the signed .CA zone is just the first step in enabling DNSSEC for .CA domains. They still have some work to do before they can begin accepting DS records from registrars that support DNSSEC. Their stated goal is to complete that work this year so that in 2014 they can begin accepting signed domains.
In the meantime, we’ve been told that people who can sign and host their .CA domains can contact CIRA at email@example.com to find about how to manually get their DS record into the .CA zone.
This is great work and we look forward to seeing more about DNSSEC and .CA over this year. CIRA has published a DNSSEC page with information. Over on Dark Reading, David Schwartzberg also wrote about Canada joining the DNSSEC party.
Congrats, again, to Jacques Latour and the whole team at CIRA!
P.S. And yes, I did pick up the toy beaver in the photo from a .CA booth at a conference… having lived in Canada for 5 years I enjoy that the .CA team can have some fun with some of the Canadian stereotypes.