Deploy360 22 February 2013

Canada Joins The DNSSEC World – Sign Your .CA, Eh?

By Dan YorkDirector, Internet Technology

Toy beaver from .CACongratulations to our friends up North in Canada for the DNSSEC signing of the .CA domain, joining the ever-growing list of top-level domains (TLDs) that are securing their DNS records with DNSSEC!  As Jacques Latour of the Canadian Internet Registration Authority (CIRA) outlined in a CIRA blog post they took some time to ensure their system was resilient:

We wanted to create a comprehensive DNSSEC validation process, so we took a different approach to sign .CA that takes into account several known DNSSEC-related issues that affect its operation. Our approach addresses these issues, and we believe we have developed a resilient solution that will result in high availability/no outages.

We created dual independent signing engines using Bind and OpenDNSSEC. There were a few challenges along the way. For example, Bind and OpenDNSSEC produce different, although valid signed zone files and both handle signing differently. These challenges, though, were worth overcoming. The end product will not only be an improved system for .CA, but we’re blazing a new trail here – the global Internet community will benefit from this work.

It’s great that CIRA went through this effort and we look forward to learning from them as they share more information about what they did.

Now, publishing the signed .CA zone is just the first step in enabling DNSSEC for .CA domains.  They still have some work to do before they can begin accepting DS records from registrars that support DNSSEC.  Their stated goal is to complete that work this year so that in 2014 they can begin accepting signed domains.

In the meantime, we’ve been told that people who can sign and host their .CA domains can contact CIRA at  [email protected] to find about how to manually get their DS record into the .CA zone.

This is great work and we look forward to seeing more about DNSSEC and .CA over this year.  CIRA has published a DNSSEC page with information. Over on Dark Reading, David Schwartzberg also wrote about Canada joining the DNSSEC party.

Congrats, again, to Jacques Latour and the whole team at CIRA!

P.S. And yes, I did pick up the toy beaver in the photo from a .CA booth at a conference… having lived in Canada for 5 years I enjoy that the .CA team can have some fun with some of the Canadian stereotypes. 🙂

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...