Deploy360 11 April 2012

FCC Publishes DNSSEC Recommendations for ISPs

By Dan YorkDirector, Internet Technology

FCC CSRIC logoAre you are network operator or Internet service provider (ISP) seeking to understand what you need to do to implement DNSSEC within your network? Are you looking for guidance to help you understand how to proceed?

If so, the U.S. Federal Communications Commission (FCC) just published a set of “DNSSEC Implementation Practices for ISPs” through one of the working groups of its Communications Security, Reliability and Interoperability Council (CSRIC).  The 29-page PDF is available at:

The document provides:

  • A brief overview of DNS and DNSSEC
  • A view of the current state of DNSSEC deployment
  • How Internet Service Providers (ISPs) can use DNSSEC
  • An analysis of the key drivers and challenges for implementing DNSSEC
  • Specific best practice recommendations to ISPs for deploying DNSSEC

The key recommendations of the working group include:

  1. ISPs implement their DNS recursive nameservers so that they are at a minimum DNSSEC-aware, as soon as possible.
  2. Key industry segments, such as banking, credit cards, e-commerce, healthcare and other businesses, sign their respective domain names. The FCC ask industry-leading companies in key sectors commit to doing so, in order to create competitive pressure for others to follow. These industries may be prioritized based on the prevalence of threats to each one, which would mean focusing on financially related sites first, followed by other sites that hold private user data.
  3. Software developers such as web-browser developers study how and when to incorporate DNSSEC validation functions into their software. For example, a browser developer might create a visual indicator for whether or not DNSSEC is in use, or perhaps only a visual warning if DNSSEC validation fails.

We’re very pleased to see these recommendations as they are very much in line with what we’ve been promoting here on the site about DNSSEC – and are very much in line with our recent analysis of DNSSEC challenges and opportunities.

If you are an ISP or network operator, these recommendations from the FCC are definitely ones to consider and act on.  Kudos to the CSRIC Working Group and the FCC for publishing this document.

Thanks to the DNSSEC Deployment Initiative for pointing out that these recommendations were published.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...