Deploy360 Domain Name System Security Extensions (DNSSEC)

DNSSEC Activities At ICANN 56 In Helsinki – 27-28 June 2016

ICANN 56 logoNext week is the 56th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) in Helsinki, Finland, and while it is a smaller “policy forum” style of meeting, there will still be some activities related to DNSSEC, DANE and DNS security in general.  Unlike the larger meetings, there will not be the “DNSSEC for Everybody” session with its ever-popular skit. The 6-hour DNSSEC Workshop will also be moved to Monday from its traditional Wednesday – and will split the day with “Tech Day”. The informal DNSSEC Implementers Gathering will also move from Monday evening to Tuesday evening.

So with all that, here’s what the schedule looks like…

DNSSEC Workshop

The DNSSEC Workshop will take place on the morning of Monday, 27 June 2016. All times are Eastern European Summer Time (EEST), which is UTC+3.

We are grateful to four companies for their sponsorship of this event:  Afilias, CIRA, Dyn and SIDN.

  • 09:15-09:30–Introduction/Maps: Dan York, Internet Society
  • 09:30-10:00–Measurement Survey of Server-Side DNSSEC Adoption: Matthäus Wander
  • 10:00-10:15–Observation of DNSSEC Trends: Geoff Huston, APNIC
  • 10:15-11:15–Panel Discussion: DNSSEC Deployment Challenges: Nick Shorey, Dani Grant, CloudFlare, Ari-Matti Husa, FICORA, Geoff Huston, APNIC
  • 11:15-11:45–KSK Rollover and ZSK Length Increase: Roy Arends, ICANN and Duane Wessels, Verisign
  • 11:45-12:00–DNSSEC Encryption Algorithms: Dan York, Internet Society, and Ondrej Sury, CZNIC
  • 12:00-12:15–DNSSEC: How Can I Help? Dan York, Internet Society, and Russ Mundy, Parsons
  • 12:15-12:30–DNSSEC/DNS Quiz: Roy Arends, ICANN
  • 12:30-13:30–Sponsored Lunch

All sessions will be available for remote participation and will be recorded for later viewing:

We’ve got some great sessions and we’re looking forward to another exciting session! And after lunch you can stay around for “Tech Day” where there will be a range of other DNS-related talks.

DNSSEC Implementers Gathering

On Tuesday evening, many of us who have been involved with DNSSEC, DANE or “DNS security” will gather informally at a local restaurant in Helsinki.  We’ll have some light food, drinks and conversation.  If you’d like to join us, please email me at .

And… that will be it!  There’s no Technology Experts Group (TEG) meeting with the ICANN Board or anything else that we usually are involved with.

If you are at ICANN 56 please do say hello – you can find me in these sessions… or drop me a note at and we can arrange a time to connect.

And … if you want to get started with DNSSEC and DANE, please visit our Start Here page to find resources that can help!


Deploy360 Domain Name System Security Extensions (DNSSEC) Events

Call for Participation – ICANN 56 DNSSEC Workshop in Helsinki, Finland on 27 June 2016

ICANN56 Helsinki logoDo you have an idea for an innovative use of DNSSEC or DANE? Did you develop a new tool or service that works with DNSSEC? Have you recently deployed DNSSEC or DANE and have some “lessons learned” that you could share? Have you enabled DNSSEC by default in your products? (And why or why not?) Do you have ideas about how to accelerate usage of new encryption algorithms in DNSSEC?

We are seeking presenters on all these topics and more for the DNSSEC Workshop on June 27, 2016, at ICANN 56 in Helsinki, Finland. The full “Call for Participation” is found below.

If you have an idea and will be at ICANN 56 (or can get there), please send a brief email to by Wednesday, May 18.

Thank you!

Call for Participation — ICANN DNSSEC Workshop at ICANN 56 in Helsinki, Finland

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 56 meeting on 27 June 2016 in Helsinki, Finland. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN  55 meeting in Marrakech, Morocco, on 09 March 2016. The presentations and transcripts are available at:

Examples of the types of topics we are seeking include:

1. DNSSEC Deployment Challenges

The program committee is seeking input from those that are interested in implementation of DNSSEC but have general or particular concerns with DNSSEC. In particular, we are seeking input from individuals that would be willing to participate in a panel that would discuss questions of the nature:
— What are your most significant concerns with DNSSEC, e.g., implementation, operation or something else?
— What do you expect DNSSEC to do for you and what doesn’t it do?
— What do you see as the most important trade-offs with respect to doing or not doing DNSSEC?

We are interested in presentations related to any aspect of DNSSEC such as zone signing, DNS response validation, applications use of DNSSEC, registry/registrar DNSSEC activities, etc.

2. DNSSEC by Default

As more and more applications and systems are available with DNSSEC enabled by default, the vast majority of today’s applications support DNSSEC but are not DNSSEC enabled by default. Are we ready to enable DNSSEC by default in all applications and services? We are interested in presentations by implementors on the reasoning that led to enable DNSSEC by default in their product or service. We are also interested in understanding those that elected not to enable DNSSEC by default and why, and what their plans are.

3. DNSSEC Encryption Algorithms

How do we make DNSSEC even more secure through the use of elliptic curve cryptography? What are the advantages of algorithms based on elliptic curves? And what steps need to happen to make this a reality? What challenges lie in the way? Over the past few months there have been discussions within the DNSSEC community about how we start down the path toward adding support for new cryptographic algorithms such as Ed25519 and Ed448. At ICANN 55 in Marrakech we had a panel session that explored why elliptic curve cryptography was interesting and some high level views on what needs to happen. At ICANN 56 we are interested in presentations that dive into greater detail about what needs to be done and how we start the process. More background information can be found in this document:

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to by Wednesday, 18 May 2016.

We hope that you can join us.

Thank you,
Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Luciano Minuchin, NIC.AR
Russ Mundy, Parsons
Ondřej Surý, CZ.NIC
Yoshiro Yoneya, JPRS
Dan York, Internet Society