Are you are network operator or Internet service provider (ISP) seeking to understand what you need to do to implement DNSSEC within your network? Are you looking for guidance to help you understand how to proceed?
If so, the U.S. Federal Communications Commission (FCC) just published a set of “DNSSEC Implementation Practices for ISPs” through one of the working groups of its Communications Security, Reliability and Interoperability Council (CSRIC). The 29-page PDF is available at:
The document provides:
- A brief overview of DNS and DNSSEC
- A view of the current state of DNSSEC deployment
- How Internet Service Providers (ISPs) can use DNSSEC
- An analysis of the key drivers and challenges for implementing DNSSEC
- Specific best practice recommendations to ISPs for deploying DNSSEC
The key recommendations of the working group include:
- ISPs implement their DNS recursive nameservers so that they are at a minimum DNSSEC-aware, as soon as possible.
- Key industry segments, such as banking, credit cards, e-commerce, healthcare and other businesses, sign their respective domain names. The FCC ask industry-leading companies in key sectors commit to doing so, in order to create competitive pressure for others to follow. These industries may be prioritized based on the prevalence of threats to each one, which would mean focusing on financially related sites first, followed by other sites that hold private user data.
- Software developers such as web-browser developers study how and when to incorporate DNSSEC validation functions into their software. For example, a browser developer might create a visual indicator for whether or not DNSSEC is in use, or perhaps only a visual warning if DNSSEC validation fails.
We’re very pleased to see these recommendations as they are very much in line with what we’ve been promoting here on the site about DNSSEC – and are very much in line with our recent analysis of DNSSEC challenges and opportunities.
If you are an ISP or network operator, these recommendations from the FCC are definitely ones to consider and act on. Kudos to the CSRIC Working Group and the FCC for publishing this document.
Thanks to the DNSSEC Deployment Initiative for pointing out that these recommendations were published.