Afilias plans to deploy Domain Name System Security Extensions in 13 more top-level domains 

DUBLIN, IRELAND  – 23 August 2010 – Afilias, a global provider of Internet infrastructure services, today announced that it will deploy Domain Name System Security Extensions (DNSSEC) across its registry platforms, signing 13 more top-level domains (TLDs) and increasing DNSSEC deployment among domain registries by 50 percent.

“Afilias has been a leader in DNSSEC deployment, including working closely with .ORG to plan, design and implement the .ORG DNSSEC strategy as early as 2007,” said Ram Mohan, Executive Vice President and Chief Technology Officer for Afilias. “We are pleased to introduce DNSSEC across our registry and DNS platform, protecting TLDs in our care from DNS cache poisoning and man-in-the-middle attacks, while maintaining consistency and convenience for registrars and their customers."

DNSSEC development began in the early1990s, but only recently became ready for broad deployment as an additional security measure to protect the DNS from cache poisoning exploits. Recently referred to as the Kaminsky bug, this exploit can allow malicious entities to intercept Internet users’ requests to access a website, and redirects or eavesdrops on these users without their knowledge, and with no ability to reassert control. DNSSEC introduces digital signatures to the DNS infrastructure and automatically ensures that users’ are not hijacked and taken to an unintended destination.

To deploy DNSSEC for these additional TLDs, Afilias is introducing a new global strategy, launched under its “Project Safeguard” initiative.  Project Safeguard includes a registry and DNS infrastructure upgrade across Afilias’ global technology platforms to support DNSSEC. It also includes a year-long registrar training initiative to address technical issues concerning implementation of DNSSEC in registrar-registry transactions.

As part of Project Safeguard, Afilias conducted research across domain name registrars to understand the issues they face with DNSSEC deployment. Afilias’ Registrar DNSSEC Readiness Report found that:·       

• Registrars think DNSSEC is a good idea, but are not yet fully prepared to offer consumer services.  80 percent of registrars believe that top-level domain (TLD) registries should offer DNSSEC. However 90 percent of registrars currently feel completely unprepared or only somewhat prepared to actually offer DNSSEC services to their customers as this time.        
• 69 percent of Registrars plan to offer DNSSEC services in 2011 or beyond. 32 percent have no plan to introduce DNSSEC within the next 12 months.      
• Consumer demand is the biggest challenge for registrars. 56 percent cite a lack of consumer demand as their biggest challenge impeding their DNSSEC implementation.       
• Registrars also cite issues with deploying DNSSEC technology:  For example, nearly 20 percent cite the management of DNSSEC keys as their number one concern, followed by more than 18 percent that cite overall DNSSEC technology and expertise.  

“Our goal is to help registrars navigate the challenges of enabling the next generation of Internet security with DNSSEC, by providing a simple and singular enablement process to easily deploy DNSSEC across Afilias-supported domain registries,” said Mohan. “The Project Safeguard initiative should ease the technical burden of DNSSEC deployment and could spur user adoption."

Afilias will deploy DNSSEC first in the .INFO domain in September, to be followed by TLDs that it supports in Asia, the Latin America/Caribbean, and Europe. Based on the proven strategy for the .ORG registry’s successful DNSSEC deployment effort, Afilias will adopt a similar, careful, step-by-step approach.  This strategy will include a “friends and family period” which will coincide with registrar outreach.

About Afilias

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit www.afilias.info.

###

DNSSEC statistics source: DNSSEC Deployment Initiative https://www.dnssec-deployment.org/wp-content/uploads/2010/06/TLD-deployment-Table1.pdf  As of 13 August 2010 26 TLDs had deployed DNSSEC. 

Leading members of media and technology will select the short list of finalists to vie for Best .INFO Website of 2010

DUBLIN, IRELAND  – 17 August 2010- Afilias, a global provider of Internet infrastructure services and the registry for the .INFO top-level domain (TLD), today released the roster of judges selected to evaluate submissions to the fourth annual .INFO Awards program. The Awards program, which opened last week, enables any .INFO website owner to submit their site for consideration to receive top honors as the “Best .INFO Website of 2010” and receive a cash prize of up to $7,500.

“Afilias is pleased to have such high caliber judges from the fields of online information, media, and technology,” said Roland LaPlante, Senior Vice President and Chief Marketing Officer for Afilias. “This year’s panel consists of judges from many different countries and three continents, truly representing the global nature and appeal of the .INFO domain.”

The 2010 judging panel will be made up of seven distinguished individuals from the online, media and technology industries. They include:
• Dominik Grollmann, editor in chief, Internet World Business (Germany)
• Grant Allaway, group managing director, AD2ONE  (UK)
• Peter Prestipino, editor in chief, Website Magazine (US)
• Liam Eagle, editor in chief, the Web Host Industry Review (Canada)
• Anand Parthasarathy, editor, IndiaTechOnline.com (India)
• Katy Tafoya, creator and editor, ConstantChatter.com (US)
• Philipp Grabensee, chairman of the board, Afilias (Germany)

The judging panel will review all eligible sites submitted for consideration based on five key criteria including: presentation of content, functionality of the website, design, usability, and originality.
For details on entry requirements and restrictions please visit the Awards Rules. For more details on the .INFO Awards or to submit your site visit www.INFO-award.info.

About the .INFO Awards
The .INFO Awards honors the best .INFO websites and highlights the usefulness that the .INFO domain has added to the Internet in the nine years since its debut. Any .INFO domain owner may submit their website for consideration until September 10, 2010. A shortlist of the 10 finalists, based on the judges’ scores, will be published on October 5, 2010. Members of the public will then be able to vote for their favorite of the top 10 sites until November 2. The public votes will be combined with the judges’ scores to select the top 3 winners, with first place being named the “Best .INFO website of 2010.”  Winners will receive cash prizes allocated as: US$7,500 for first place, US$5,000 for second place, and US$3,000 for third place.

About .INFO
.INFO was the first generic, unrestricted TLD to be launched since .com and is the most successful new TLD launched in over 25 years. Registrations in .INFO first became available in 2001. Since then, .INFO has grown to become the fourth largest gTLD in the world with over 6 million domain names registered. .INFO Domains are currently available in ten Internationalized Domain Name (IDN) scripts. For more information on .INFO please visit www.info.info.  

About Afilias
Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit www.afilias.info.
###

If the rise of phishing has taught us anything, it's that on the Internet, if a digital asset has value, there's somebody out there who wants to steal it. Whether it's a bank account password, a credit card number, a PayPal login, or even a magic sword in an online game, there's a fraudster somewhere trying to misappropriate it for his or her own nefarious purposes.

Domain names have always been a target for such criminals. Companies and individuals doing business online have few assets more valuable than their domain name. It may cost $10 or less to register one, but the domain name is the glue that connects a company to its customers; revenue and brand equity depend upon its security.

Domain theft is not a new phenomenon, of course. Sex.com, for example, was hijacked all the way back in 1995, when there was only one registrar. Its true registrant had to spend years in court to retrieve it. In more recent years, high-profile domains such as Panix.com, Baidu.com and even ICANN.org have been temporarily stolen by attackers using social engineering to exploit process vulnerabilities at domain name registrars.

It's surprising, given that domain name hijacking predates the creation of the competitive registrar market itself, that the industry has not done more in the last decade to mitigate the risks. ICANN's Security and Stability Advisory Committee (SSAC) noted as recently as last year that "pure play, secure registration service providers are rare, in part due to the fact that evaluating security measures does not play as prominent a role in customer decisions when choosing a registrar as it should."

However, registrant apathy regarding security may already be changing, according to a recent survey of savvy registrants.

There are three areas where registrars, in general, have room for improvement when it comes to security.

1. Better Authentication

The simple username/password authentication approach so common at Registrars has repeatedly been found vulnerable to social engineering attacks and should not be considered strong enough security for high-value domain name accounts. This is especially true when automated password reminders are available. If all an attacker needs to do is compromise a password or e-mail address in order to have complete control over a domain portfolio, registrants have the right to ask for stronger authentication.

Nowadays, it's common practice for large financial institutions to allow, or even require, multi-factor authentication before giving customers access to valuable assets. But it's not just banks. After the phishing black market put a dollar value on World of Warcraft accounts, the game's developer had to start offering players one-time password tokens, in the form of key fobs, as a second authentication factor, to decrease fraud.

When you think about it, the fact that magic swords are sometimes offered a greater degree of protection than domain names is pretty crazy.

2. Notifications

When someone logs into a registrar domain account they are given virtually the “keys to the kingdom” for that organization’s entire domain portfolio and DNS settings. If domain account access is compromised, then all it takes for the criminal is to login to the registrar account, change the registrant and other contacts associated with the domain, and then either change the DNS information to point to a new site or transfer the domains to a completely different registrar where it is difficult for to reclaim the names.

It is time registrants get routinely notified when such changes are made to their domain name portfolio, whether via e-mail, text or perhaps even telephone for the most critical items. The best scenario is to notify two or more authorized employees to provide for shift changes and/or redundancy. Social engineering is the attack of choice for hijacking domains, and it's harder to impersonate two people than one.

Because e-mail accounts are easier to compromise than phone numbers, using out-of-band communications channels, such as telephone or SMS text message, could also increase security.

3. Access Control

Usually, authenticated registrants have global privileges: they can change name servers, transfer out domains or cancel renewals, for example. The risk of domain hijacking could be further mitigated by employing more granular access controls once a customer has been "authenticated". Many registrants may wish to use a higher level of security on their primary domains, limiting critical privileges to certain high-status users. The learning curve here could be eased somewhat by the fact that existing registrar Whois records already usually describe at least three roles – the administrative, technical and billing contacts.

Registrars should enable Registrants to designate different contacts for different authority levels. This would accord Registrants the choice of better protection.

None of these measures need to be a drain on registrars' margins. Indeed, once in place, these will save money that is now spent resolving disputes after the fact by making criminal activity more difficult. Further, with domain name registrants increasingly looking at registrars' security provisions before they make their purchasing decisions, the opportunity presented by value-added premium services, designed for security and marketed to customers with high-value domain portfolios, should be obvious. Criminals look for the softest targets; with a little effort in just 3 areas, registrars can significantly improve the security they provide for registrants.

For more reading on this topic, see SSAC’s advisory to registrars on improving security: SAC040

(Disclosure: I am one of the charter members of SSAC)

Fourth annual .INFO Awards program will offer US$15,000 in prizes

DUBLIN, IRELAND – 10 August 2010 – Afilias, a global provider of Internet infrastructure services and registry for the .INFO top-level domain (TLD), today announced the opening of its fourth annual .INFO Awards program which recognizes the best .INFO websites around the world. From August 9th to September 10th any .INFO domain owner may submit their website to the .INFO Awards for a chance to win honors as the “Best .INFO website of 2010.”

“.INFO is an intuitive domain name choice for anyone looking to share their information with the world,” said Roland LaPlante, Chief Marketing Officer for Afilias. “.INFO has been the most successful new TLD ever launched, as evidenced by the millions of sites now operating worldwide. The .INFO Awards program not only gives us the opportunity to highlight the best .INFO sites from around the world, but also to allow Internet users to voice their support for their favorite ones.”

 Afilias first launched the .INFO Awards program in Germany in 2007 and expanded the awards internationally in 2009. 2010 will mark the fourth year of honoring the best .INFO websites and highlighting the usefulness that the .INFO domain has added to the Internet in the nine years since its debut.

Qualifying submissions will be evaluated by a panel of online and media experts based on five key criteria including: presentation of content, functionality of the website, design, usability, and originality. The panel of judges will be announced on August 17th and will consist of experts in the fields of websites, design, and media.

A shortlist of the 10 finalists based on the judges’ scores will be published on October 5, 2010. Members of the public will then be able to vote for their favorite of the top 10 sites until November 2 at 11:59 pm ET. The public votes will be combined with the judges’ scores to select the top 3 winners, with first place being named the “Best .INFO website of 2010.” Winners will receive cash prizes allocated as: US$7,500 for first place, US$5,000 for second place, and US$3,000 for third place.

 For details on entry requirements and restrictions please visit the Awards Rules. For more details on the .INFO Awards or to submit your site visit www.INFO-award.info.

About .INFO:

.INFO was the first generic, unrestricted TLD to be launched since .com and is the most successful new TLD launched in over 25 years. Registrations in .INFO first became available in 2001. Since then, .INFO has grown to become the fourth largest gTLD in the world with over 6 million domain names registered. .INFO Domains are currently available in ten Internationalized Domain Name (IDN) scripts. For more information on .INFO please visit www.info.info.

About Afilias:

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit http://afilias.info.

Almost exactly nine years ago, the .INFO domain first started accepting registrations.  This was an historic event as it was the first time a new generic top-level domain (TLD) was launched to an existing domain marketplace and, in fact, was the first new TLD to be added since .com.  We’ve seen (and provided technology to power) many other TLD launches since then, with many business models.  As you seek to introduce your own new TLD however, you should carefully evaluate the different launch models that have been tried before and determine which one will work best for your specific TLD.

Trademark Protection
All new TLDs will require some form of trademark protection to ensure that Intellectual Property (IP) holders’ rights can be protected prior to live, public registrations.  Afilias has implemented a number of different types of trademark protection plans from pre-registration without trademark verification, to those with extensive application and verification processes.  We’ve seen the best success with a very focused trademark pre-registration period that has clear trademark parameters and works with a known trademark verification agent to weed through all of the submissions.  We also recommend that all registries lock pre-registered trademark domains for up to 60 days following their registration award to allow for any potential UDRP claims that IP owners may wish to file.  

Landrush
Landrush will be the most critical time for your TLD as it places the heaviest load on the technical registry system.  We’ve seen in excess of 300,000 names coming in through initial landrush opening minutes, so you want to be very careful about who you select as your registry partner.  You should make sure that their registry has been tested to withstand a significant landrush load.

In addition, you will have to make some policy decisions about how you want landrush to work. In almost all cases you should avoid pre-registration fees with a “chance” at getting your name. These can be viewed as lottery-based systems that can subject your organization to new legal restrictions.  We highly recommend that clients not charge for applications, but only for awarded names.

Regardless, you need to decide if you will open the floodgates all at once, or if you want to have multiple, specialized application periods (see below) in advance of the “public” opening.

Premium Names and Auctions
In recent years TLDs like .info, .mobi, .asia and .me have seen good success by reserving premium names, which are highly desirable generic or category terms.  In .info’s case, we reserved a number of country domains and have awarded them for use by their respective governments (some great examples are spain.info and germany.info).  Other TLDs have used reserved name lists for auctions following landrush.

Premium or other reserved names can fit well into your new TLD’s strategy, particularly if you will be representing a certain category or key community where they will present more value.  An auction approach helps to raise the price, and therefore perceived value of these names, and can help put your registry on a sound financial footing more quickly.  

RFPs
If auctions are not to your taste, other domains have also seen success by simply launching a period where interested users can respond to a “request for proposal” with a business and launch plan for a highly desirable name.  As a registry, you can offer additional promotion, partnerships or advertising to help assist with the launch of these sites, which can also act as great brand ambassadors for your fledgling TLD.

Each new TLD will have its own priorities. However, at the end of the day, you need a plan that will get lots of names into your target market quickly, generate awareness of your TLD (so it will be viewed as a legitimate place to visit by Internet users), and demonstrate actual use in the market (i.e. real sites and e-mail).  Your launch plan is critical to establishing these building blocks quickly. If you are not a TLD expert, consider teaming up with someone who has been there before.

What were you doing this week back in 1985? Answer: Probably watching the debut of Back to the Future, a early Steven Spielberg movie which incorporated novel uses of technology to travel in time. During that same time in 1985, however, another innovative use of technology was also making its debut—one with much greater implications for improving our lives on a global scale.

On July 10, 1985 the first .ORG domain name – mitre.org – was registered, joining the initial registrations in .com and 5 other “generic top level domains” in the Internet’s Root zone. This date marks the starting point of the Internet revolution by allowing Internet users to locate online resources by easy-to-remember names instead of complex numbers. Making the Internet more accessible has spurred global economic development, improved freedoms and increased access to knowledge for the last 25 years.

Afilias is pleased to be a partner with .ORG, The Public Interest Registry (PIR) in supporting the millions of .ORG domains now in use worldwide. We are proud to provide state of the art registry and DNS services which ensure that .ORG is a reliable and secure home for the millions of organizations worldwide who depend on their .ORG online identity to pursue their missions. We have worked closely for the past seven years with PIR and its parent organization, the Internet Society (ISOC), to continuously upgrade the critical infrastructure supporting .ORG to meet the needs of both current and future Internet users. The recent deployment of a significantly upgraded security technology, DNSSEC, across the .ORG domain is but one example of how PIR, ISOC and Afilias join together to ensure the .ORG domain is exemplary, safe and trusted.

Since 2003, when PIR became the steward of .ORG, .ORG has grown by almost 300% to over 8 million domains. This growth is a testament to the dedicated and focused team at PIR, the secure and reliable technology underpinning the registry, and to the engaged base of active registrars, who serve the expanding core of .ORG registrants and the larger universe of .ORG Internet users. The achievements of .ORG over the past twenty-five years in general and the seven years in particular point to a great renaissance and a period of extraordinary activity and success for .ORG, and bode well for the next twenty-five years.

The entire team at Afilias congratulates Alexa Raad, CEO of PIR, her team, ISOC and the Internet community on achieving this important and historic milestone. Happy Birthday .ORG!

The board resolved on Friday to dedicate its two-day retreat in September entirely to working on the issues that remain outstanding in the Draft Applicant Guidebook. The current version of the DAG, the fourth, is expected to be the final draft before applications become open to potentially hundreds of prospective new TLD registry operators.

ICANN Chairman Peter Dengate Thrush said the final Applicant Guidebook could be ready or almost ready for approval as early as December this year, when the ICANN community will meet in Cartagena, Colombia. Companies wishing to apply for their ".brand" TLD in the first round could find themselves able to do so in the first half of next year and should start their planning process now if they have not already.

However, because ICANN is a bottom-up policy-making organization, there are still issues that the community needs to resolve before the board can act. The procedures for providing intellectual property protection to trademark holders have almost been finalized, and the ICANN Governmental Advisory Committee has been asked for further guidance on how to handle its concerns about "morality and public order" in new TLDs. Registries and registrars are also continuing to make progress towards a consensus view on cross-ownership and vertical integration.

One key element of the new TLD process is the requirement that all new TLDs incorporate DNSSEC at launch.  DNSSEC took another significant step forward at this meeting with the signing of http://www.isoc.org/ as the first second level .ORG to be secured by this new security protocol.  The .org TLD is the largest TLD to date to deploy DNSSEC at the zone level; and the http://www.isoc.org/ signing paves the way for EVERY .ORG to be secured via DNSSEC.

There was also good news in Brussels for the world's over one billion Chinese speakers, as the ICANN 

Board voted to approve three Chinese-script internationalized domain names for addition to the root. The country-code managers for China, Taiwan and Hong Kong, who received standing ovations following the Board's decision, will soon be able to distribute addresses ending in their IDN scripts.  These TLDs will join several other country-specific strings that were applied for in the "fast -track" process approved at the Nairobi meeting.

Attendees at the public ICANN meeting in Brussels today heard from over two dozen companies that have implemented or are planning to support DNSSEC, the next-generation standard protocol for secured domain names. It is clearer than ever before that DNSSEC is becoming a reality.

The Public Interest Registry announced that as of this morning the .ORG top-level domain, for which Afilias provides the technical infrastructure, has finalized its deployment of DNSSEC.  Registrants of .ORG domains will now be able to generate keys and sign their zones via participating registrars. The Internet Society's ISOC.org address became the first to go live in production, signing their name with their sponsoring registrar NamesBeyond.  NamesBeyond also became the first registrar to offer complete DNSSEC deployment in production and presented an easy-to-use user interface design.

In her comments, Lynn St. Amour, the President and CEO of the Internet Society said that she was pleased to be the first organization in the .ORG  top level domain to deploy DNSSEC.  She said that implementing DNSSEC for the .ORG top-level domain was an important step in ensuring that the Internet serves as a trusted channel for communication and collaboration.

Indeed, the deployment of DNSSEC is one of the most important developments in .ORG's 25-year history and their visionary efforts have pushed an entire industry towards adoption.

GoDaddy publicized its commitment to DNSSEC at the ICANN meeting, telling a crowded meeting hall that it will offer a managed DNSSEC service to its customers later this year. An additional 11 registrars have completed operational testing to offer DNSSEC-signed .ORG domains to their customers.

With ICANN due to sign the DNS root next month, the chain of trust on the Internet is almost complete, all the way from the root to the ISP level. Comcast, which spent over two years testing its own DNSSEC validating resolvers prior to deploying earlier this year, announced today that it will also sign some 650 of its own .ORG domains.  Jason Livingood from Comcast encouraged other ISPs to begin their own DNSSEC trials and to rollout DNSSEC in their production resolvers.

While many at the ICANN meeting also heard about the technical challenges of implementing DNSSEC at the registrar and registry levels, and the competitive advantages that can come from being an early adopter, the general consensus emerged that DNSSEC is now something which every player in the domain name industry needs to address.

Paul Vixie, the Chairman of Internet Systems Consortium, which develops BIND software told the workshop that the community was near the tipping point with the root, .ORG, .COM and .NET all being signed or going to sign soon.

ISOC, PIR and Afilias team at the signing of isoc.org this morning at ICANN 38: Brussels.
(Left to right) Back row: Roland LaPlante & Dr. Jim Galvin from Afilias. Front row: Alexa Raad, PIR CEO, Leslie Daigle, ISOC CITO, and Lynn St.Amour, ISOC CEO.

The .mobi domain was launched in 2006 to provide a dedicated name space for content made for mobile consumption. Since its launch, dotMobi, the company behind the .mobi domain, has developed many innovative products that help businesses and organizations mobilize their messages for a mobile audience.  Past successes have been their Device Atlas and Instant Mobilizer, which have won awards in their own right.  The .mobi domain has also become a success and is one of the largest new TLDs ever launched.  Today, dotMobi launches its next innovation -  goMobi aimed at providing small and medium sized businesses an easy and fast way to get their content on the mobile web in a way that helps them convert customers to sales.

goMobi is a new kind of content management solution that allows an average person or business owner to easily build a mobile friendly website with content that reflects the way visitors on the go want to consume it.    With goMobi’s simple intuitive tool, a business can have their new mobile site up in minutes!  Better yet, goMobi sites work on any Web-enabled phone, saving resource constrained businesses from any development time for multiple phone apps for different operating systems—goMobi just makes it happen!

goMobi recognizes that consumers on the go don’t need all the information or fancy graphics of a full website—they need a “just the facts” approach that quickly loads critical information like the phone number, address, directions, hours, etc.  goMobi uses a set of standard icons to present this information in an intuitive format similar to most smart phone displays.  A goMobi site is not just easy to create, but it embodies a mobile friendly experience -- something most small and medium sized businesses would benefit from but don’t have the time and resources to create. 

Now any organization can make mobile marketing a direct and fundamental approach to reaching current and potential customers. 

goMobi is a new and compelling service that can be offered as a value-add by registrars, hosting companies or Web design and developers.  It is easy to integrate with current content management solutions and provides customers a complete site, hosting included!  In addition, experts like designers and developers can create their own custom goMobi features, to offer clients an even more tailored mobile site, with all the benefits of the goMobi solution.

Afilias is supporting the move to an easy-to-create mobile Web.  You can now visit us on the mobile Web with our new and improved goMobi site at http://afilias.mobi

The barriers to DNSSEC adoption are quickly disappearing. There are nearly 20 top-level domains that have already deployed DNSSEC including generic TLDs like .org and .gov. This July, the DNS root will also be signed, and will begin validating DNSSEC queries. At this point, the decision for remaining TLDs to deploy DNSSEC is really no longer a question. In fact, as it stands today, all new TLDs approved by ICANN will be required to have DNSSEC deployed at launch.

Afilias already supports .ORG’s deployment of DNSSEC and provides secondary DNSSEC service for other ccTLDs. Our experience in deploying DNSSEC demonstrates that you need to plan for an increase in strain on your DNS network if your ccTLD or gTLD plans to deploy DNSSEC.

Deploying DNSSEC will have three main effects on your DNS operations:

Larger Zone File Size

For every signed domain, your zone file will now have to store and provide not only the original DNS information such as Start of Authority (SOA) and other Resource Records, but also a digital signer record (DS) to point to the Public Key as well as the actual signature record (RRsig) for each RRset in your zone file for which you are authoritative.

On average, you should expect your zone file to increase 4-6 times its current size.

More than 50% of the DNS traffic Afilias serves today already requests DNSSEC information. When you sign your zone, you will be serving signature information immediately.

Delivering a larger zone file that is serving more records for every DNS query will increase the daily strain on your DNS servers, and could result in increased response times.

Greater Bandwidth Requirements

DNSSEC-enabled responses contain more information because they are now carrying an additional set of information (signatures and keys) that go along with every DNS query. On average, a DNSSEC response is about twice the size of a non-DNSSEC response.

You will need to factor in more bandwidth and processing power to handle larger responses for each DNSSEC query that you need to serve. Some of this is dependent on the DNSSEC configuration choices you make.

While our experience shows that the bandwidth increase associated with a signed zone is not orders of magnitude higher than an unsigned zone, we recommend that you plan for at least a 2-4 times increase in bandwidth required to respond to normal DNS query volume.

Increased DNS Traffic

There are a few reasons why you may see an overall bump in DNS traffic just because you enable DNSSEC.

DNS uses UDP, a lightweight protocol, to return responses for most DNS queries. BIND 9.4.x and earlier versions limit UDP responses to 512 bytes. Since DNSSEC information is larger, responses can be truncated, thereby forcing validating resolvers to ask for the DNSSEC information again using TCP. Most signed TLDs to date report a 1-2% TCP traffic increase overall.

Solving for these three significant operational impacts could cost you time, money and pull your resources away from other critical projects. And, it may even deter you from implementing DNSSEC even though it has become an essential part of TLD management.

We would like to suggest a simple solution that will lighten your load: back-up your DNS with a Secondary provider.

Why? It will reduce your overall risk by offloading part of your traffic onto someone else’s network that has already planned for higher peak capacities. It provides a more economical solution by minimizing the overall expense and capital requirements to expand your existing DNS network. And more importantly it provides a virtual insurance plan against unexpected traffic spikes not just for DNSSEC, but any DNS traffic spike or malfunction whether caused by network failure, DDoS, or a natural disaster affecting the geographic location of your existing nodes.

It’s easy, it’s economical and it makes your infrastructure more resilient.

Register now for a free Web Seminar “Lessons from the Trenches: Deploying DNSSEC” on June 9, 2010, featuring leaders from the .SE registry, .ORG The Public Interest Registry, Shinkuro, and Afilias. Register now.