We were very pleased to see InfoWorld publishing this week an article by Roger Grimes titled “Boost your Internet security with DNSSec” that lays out the case for implementing DNSSEC and explains the validation side of DNSSEC. Given the large audience that InfoWorld has it is good to see DNSSEC getting this coverage.
I’d suggest another useful resource for people reading that article would be SURFNet’s white paper about enabling DNSSEC validation in DNS resolvers as that paper provides step-by-step guidance to enabling validation in BIND, Unbound and Windows Server 2012.
I’d also note for people wanting to experiment with DNSSEC validation, Google’s Public DNS servers do now support DNSSEC and so you can at least temporarily point your system to Google’s servers to try out validation. As we’ve also noted in the past, anyone who is a Comcast subscriber in North America also has DNSSEC validation happening by default, as do people using many of the ISPs in Sweden, Brazil and the Czech Republic.
As I noted at the beginning, the article covers the validation side of DNSSEC, but for that to really work we also need to get more domains signed with DNSSEC. I would encourage people to look at our tutorials on how to sign your domain using common registrars – and to ask your registrar when they will let you use DNSSEC if they are not on the list of DNSSEC-capable registrars maintained by ICANN.
Again, it’s great to see InfoWorld covering DNSSEC and I do hope they’ll provide more such articles in the future. If we can get DNSSEC deployed more widely we’ll go very far in upgrading the security of the Internet!
P.S. I was also intrigued by Grimes’ link to this video of a DNSSEC app for Android from back in 2011. It looks like a basic browser to check the DNSSEC status of sites. I may have to investigate a bit more..