We’ve been very pleased to see Dr. Jim Galvin of Afilias writing a series of articles about DNSSEC over on Circle ID. Jim has been a long-time friend and supporter of the Deploy360 Programme and has spoken multiple times at our ION conferences. (For example, he spoke at our recent ION Belfast event.) Jim was also involved with the recent sponsorship of our ION conferences by Afilias.
Anyway, over at CircleID Jim started a series of articles about different aspects of DNSSEC. His articles thus far include:
- DNSSEC Adoption Part 1: A Status Report
- DNSSEC Adoption Part 2: The Current Functionality Gap
- DNSSEC Adoption Part 3: A Five Day Hole in Online Security
The three articles provide a good overview of the current state of DNSSEC. His third article, in particular, dives into an issue that has not been widely discussed – the potential 5-day waiting period during the transfer or a domain between registrars. As Jim notes:
In pre-DNSSEC days this technical issue would resolve itself relatively benignly. However, post-DNSSEC, if the domain name in question is DNSSEC signed, the failure of the domain name to DNS resolve (and hence, validate) results in a security incident. The previously benign “site not found” becomes a scary “you don’t want to go there” message, potentially damaging the credibility and brand of the domain name owner.
He goes on to note what needs to be done to address this issue and concludes:
The current business practices around this transfer policy require urgent coordination amongst registrars so that effective DNSSEC deployment can happen without an impact to the end-user or the domain name owner.
We agree that this is a concern when transferring domains and do hope to see this kind of coordination happening among registrars.
We also hope to see Jim continue writing detailed articles like these over on CircleID. You can see his writing there on his author page at CircleID.
And if you’d like to learn more about DNSSEC, please visit our Start Here page to begin!