‹ Back
Deploy360 22 February 2013

Canada Joins The DNSSEC World – Sign Your .CA, Eh?

By Dan York Senior Manager, Content and Web Strategy

Toy beaver from .CACongratulations to our friends up North in Canada for the DNSSEC signing of the .CA domain, joining the ever-growing list of top-level domains (TLDs) that are securing their DNS records with DNSSEC!  As Jacques Latour of the Canadian Internet Registration Authority (CIRA) outlined in a CIRA blog post they took some time to ensure their system was resilient:

We wanted to create a comprehensive DNSSEC validation process, so we took a different approach to sign .CA that takes into account several known DNSSEC-related issues that affect its operation. Our approach addresses these issues, and we believe we have developed a resilient solution that will result in high availability/no outages.

We created dual independent signing engines using Bind and OpenDNSSEC. There were a few challenges along the way. For example, Bind and OpenDNSSEC produce different, although valid signed zone files and both handle signing differently. These challenges, though, were worth overcoming. The end product will not only be an improved system for .CA, but we’re blazing a new trail here – the global Internet community will benefit from this work.

It’s great that CIRA went through this effort and we look forward to learning from them as they share more information about what they did.

Now, publishing the signed .CA zone is just the first step in enabling DNSSEC for .CA domains.  They still have some work to do before they can begin accepting DS records from registrars that support DNSSEC.  Their stated goal is to complete that work this year so that in 2014 they can begin accepting signed domains.

In the meantime, we’ve been told that people who can sign and host their .CA domains can contact CIRA at to find about how to manually get their DS record into the .CA zone.

This is great work and we look forward to seeing more about DNSSEC and .CA over this year.  CIRA has published a DNSSEC page with information. Over on Dark Reading, David Schwartzberg also wrote about Canada joining the DNSSEC party.

Congrats, again, to Jacques Latour and the whole team at CIRA!

P.S. And yes, I did pick up the toy beaver in the photo from a .CA booth at a conference… having lived in Canada for 5 years I enjoy that the .CA team can have some fun with some of the Canadian stereotypes. 🙂

‹ Back

Related articles

ION Toronto - Deploying DNSSEC: A .CA Case Study
Deploy36022 January 2014

ION Toronto – Deploying DNSSEC: A .CA Case Study

This week we’ll be highlighting sessions from our last ION Conference in Toronto, Canada. At ION Toronto in November, Jacques...

CIRA / .CA Launches DNSSEC Info Center and Draft DNSSEC Practice Statement
Deploy36022 February 2012

CIRA / .CA Launches DNSSEC Info Center and Draft DNSSEC Practice Statement

DNSSEC is coming soon to the .CA domain! The Canadian Internet Registration Authority (CIRA) recently announced a draft of their...

DNSSEC Algorithm Roll-over
Deploy3607 November 2015

DNSSEC Algorithm Roll-over

RIPE Labs have just published an interesting article about their experiences of rolling over the algorithm used to sign a...

Join the conversation with Internet Society members around the world