‹ Back
Deploy360 11 April 2012

FCC Publishes DNSSEC Recommendations for ISPs

Dan York
By Dan YorkDirector, Online Content

FCC CSRIC logoAre you are network operator or Internet service provider (ISP) seeking to understand what you need to do to implement DNSSEC within your network? Are you looking for guidance to help you understand how to proceed?

If so, the U.S. Federal Communications Commission (FCC) just published a set of “DNSSEC Implementation Practices for ISPs” through one of the working groups of its Communications Security, Reliability and Interoperability Council (CSRIC).  The 29-page PDF is available at:


The document provides:

  • A brief overview of DNS and DNSSEC
  • A view of the current state of DNSSEC deployment
  • How Internet Service Providers (ISPs) can use DNSSEC
  • An analysis of the key drivers and challenges for implementing DNSSEC
  • Specific best practice recommendations to ISPs for deploying DNSSEC

The key recommendations of the working group include:

  1. ISPs implement their DNS recursive nameservers so that they are at a minimum DNSSEC-aware, as soon as possible.
  2. Key industry segments, such as banking, credit cards, e-commerce, healthcare and other businesses, sign their respective domain names. The FCC ask industry-leading companies in key sectors commit to doing so, in order to create competitive pressure for others to follow. These industries may be prioritized based on the prevalence of threats to each one, which would mean focusing on financially related sites first, followed by other sites that hold private user data.
  3. Software developers such as web-browser developers study how and when to incorporate DNSSEC validation functions into their software. For example, a browser developer might create a visual indicator for whether or not DNSSEC is in use, or perhaps only a visual warning if DNSSEC validation fails.

We’re very pleased to see these recommendations as they are very much in line with what we’ve been promoting here on the site about DNSSEC – and are very much in line with our recent analysis of DNSSEC challenges and opportunities.

If you are an ISP or network operator, these recommendations from the FCC are definitely ones to consider and act on.  Kudos to the CSRIC Working Group and the FCC for publishing this document.

Thanks to the DNSSEC Deployment Initiative for pointing out that these recommendations were published.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

FCC requests comments on DNSSEC, BGPSec and Anti-Spoofing
Deploy36012 August 2014

FCC requests comments on DNSSEC, BGPSec and Anti-Spoofing

On July 25, 2014 the United States Federal Communications Commission (FCC) posted a request for comments from the ISP community...

Want To Speak About Your DNSSEC Or DANE Work, Tool or Service? (ICANN52 CFP)
Deploy3604 December 2014

Want To Speak About Your DNSSEC Or DANE Work, Tool or Service? (ICANN52 CFP)

Will you be attending ICANN 52 in Singapore in February 2015?  If so, and if you work with DNSSEC or DANE ,...

Call For Proposals: DNSSEC Workshop at ICANN 51 in L.A. on October 15, 2014
Deploy36030 July 2014

Call For Proposals: DNSSEC Workshop at ICANN 51 in L.A. on October 15, 2014

Do you have an idea for a better way to work with DNSSEC?  Have you created a new tool or...

Join the conversation with Internet Society members around the world