Deploy360 Domain Name System Security Extensions (DNSSEC)

How Can We Visualize Generic TLDs (and newGTLDs) In Our DNSSEC Deployment Maps?

Idea for visualizing generic TLDsWhat is the best way to visualize the DNSSEC deployment status of the “generic top-level-domains (gTLDs)” in our DNSSEC deployment maps that go out weekly?  Obviously since gTLDs (including the “newgTLDs”) are not tied to a country, there is no way to display them on an actual map as we do for all the ccTLDs.

Given that, how else could display the gTLDs in a way that is useful?   Right now, their DNSSEC deployment status is included in the CSV files that are sent out to subscribers of the dnssec-maps mailing list (to which anyone can subscribe).  But could we create an image of some type that showed the different deployment states?  Perhaps something like the image in this post (only with the actual Unicode characters)?

And what would be the best way to do that given that we’ll soon have hundreds and maybe even thousands of generic TLDs?

My primary interest is to have some image that we can use in presentations (or on a website) that visualizes the current state of DNSSEC deployment within the gTLDs.  We’re tracking the data in our database… we just need some way to make it more interesting then simply a list out of a CSV file.

I’d be curious to hear any feedback you all may have, either left as a response to this blog post, as a comment on the issue I opened up on Github, in social media where this is posted or as email back to us.

And then, of course, I need someone with sufficient python background working with image-generation libraries who can help make the visual image a reality…   but let’s perhaps figure what we want first, eh?

Deploy360 Domain Name System Security Extensions (DNSSEC)

4 NewgTLDs Launched Yesterday Marks Dawn of “DNSSEC From The Start” TLDs

dnssecYesterday was a big day for the Domain Name System (DNS). After a long process, ICANN formally delegated the first four of the “new generic top-level domains (newgTLDs)”, marking the beginning of the largest expansion of the domain name space ever. In addition to the existing “generic TLDs” like .com, .org, .net, etc., and the existing “country code TLDs (ccTLDs)” like .nl, .cz, .tv, etc., over the months and years ahead there are some 1,400 newgTLDs that are expected to be launched.

These first four newgTLDs are interestingly not English-language names like “.shop” or “.bank”, but instead what are called “Internationalized Domain Names (IDNs)” in non-Latin alphabets:

  • شبكة (xn--ngbc5azd) – Arabic for “web/network”
  • онлайн (xn--80asehdb) – Cyrillic for “online”
  • сайт (xn--80aswg) – Cyrillic for “site”
  • 游戏(xn--unup4y) – Chinese for “game(s)”

Yesterday’s “delegation” means that these TLDs now appear in the root zone of the DNS and the registries who operate these TLDs can now begin the process of selling domain names underneath these TLDs.  There is a formal process the registries have to go through to get started, but soon we should see these TLDs available as options for registration at the registrars who are supporting these TLDs.

Now, the exciting aspect of this news from a Deploy360 point of view is simply this:

All of these newgTLDs MUST be signed with and use DNSSEC!

From the very beginning of their operation these newgTLDs are already starting out with more security enabled than many of the existing country-code TLDs (ccTLDs).  If you look at ICANN’s “TLD DNSSEC Report” you can see that pretty much all of the existing major “generic TLDs” (ex. .com, .org, .net, .edu) are signed with DNSSEC.  Similarly over 100 of the existing ccTLDs are signed with DNSSEC.  These four newgTLDs can also be found in that report, with a nice green bar showing that they are all signed with DNSSEC.

The key point here is that these new registries must:

1. Keep the TLD signed with DNSSEC from an operational point of view.
2. Accept DNSSEC records (DS/DNSKEY) from registrars (or domain registrants depending upon the business model).

One important point:

Support of DNSSEC by a newgTLD does NOT mean that ALL domains registered under the newgTLD will be secured with DNSSEC!

But it means that all domain names registered under the newgTLD CAN be secured with DNSSEC – and that is a great step forward!

Furthermore, the new ICANN Registrar Accreditation Agreement (RAA) will require all “ICANN-accredited registrars” to support the passing of DNSSEC records from a domain name registrant up to the TLD registry. This means we should be seeing a great amount more of DNSSEC support from within the registrars.  Hopefully the DNS operators (which are sometimes part of registrars) will follow with making it easy for domain name holders to sign their domains.

All in all this newgTLD launch is great news for those of us looking at add more security to the Internet through the use of DNSSEC.  From here on out all the newgTLDs will be launched with DNSSEC – and hopefully this will also put some competitive pressure on the lagging ccTLDs (and a few lagging gTLDs) to join the rest of the TLDs that have already signed their domains.

And in the end, we’ll have a more secure Internet protecting users from attackers and also enabling new an innovative forms of security such as DANE’s protection of SSL/TLS certificates.

Congratulations to all the teams at these four registries (and their operators) and also at ICANN on this launch of the first new – and secure – gTLDs!

P.S. Want to understand DNSSEC and how (or why?) you can get started?  Check out our DNSSEC Basics page