On November 14, ICANN81 hosted a traditional day dedicated to DNSSEC security and implementation issues, attended by experts from the Coordination Center for TLD .RU/.РФ.
The seminar was opened by Kim Davis, IANA Vice President and PTI President. He presented the Root Zone KSK Rollover update and shared plans for the root zone KSK rotation, which will take place in 2026. The KSK currently in use was created in 2016 and published in 2017. The new KSK, created on April 26, 2024, is in the preliminary publication stage and is expected to be published on January 11, 2025, and active use for signing keys will begin on October 11, 2026. The fourth generation of KSK will be generated in 2027, and RSA and ECDSA algorithms are being considered as candidates.
Wataru Ogai (JPNIC) presented the results of the conducted research and the resulting guidelines for the effective implementation and use of RPKI, DNSSEC, and DMARC technologies in Japan. He spoke about a joint project involving academic and business experts, the Ministry of Internal Affairs and Communications of Japan (MIC), NTT Communications Corp, Mitsubishi Research Institute, Inc. (MRI), and the Japan Network Information Center (JPNIC). The speaker highlighted the reasons for using DNSSEC, the challenges related to its implementation and the process of developing DNSSEC application guidelines.
Next, a traditional presentation of George Mason University on the deployment of key DNS-related tools around the world was given by Eric Osterweil. He shared statistics on the implementation of DNSSEC, DANE and RPKI in various countries around the world.
The session continued with Peter Thomassen (deSEC), who presented the new SSAC report DNSSEC Delegation Signer Record Automation SAC 126. The report addresses security issues in automated DS record management.
Ulrich Wisser, ICANN, examined the ongoing work on the DNSSEC automation standard, which aimed to describe the steps and API for the Multi-Signer key procedure.
Steve Crocker (Shinkuro), who moderated this part of the seminar, presented a distributed model of the Multi-Signer procedure, and Johan Stenstam (Swedish Internet Foundation) gave a detailed account of this model’s architecture using a prototype system that allows implementing Multi-Signer. Next, Quan Nguyen (George Mason University) reported on possible ways to improve the fault tolerance of the Multi-Signer procedure using the Independent Point of Failure protection model. The model aims to identify potential points of failure, quantify them, and propose protection measures.
The final session began with presenting the Public Suffix List project, also poetically called The Rainbow Bridge. Jothan Frakes (PLISK) explained why a comprehensive machine-readable list of domain zones at all levels, which includes not only generic and country-code TLDs, but also second- and third-level zones such as .co.uk, was being created. The Public Suffix List aims to create a comprehensive list of zones at various levels controlled by domain registrars.
The final presentation of the day was to research into DNSSEC-related failures, with John Christoff (ICANN Research Fellow) presenting DNSSEC failure statistics collected at IANIX, as well as failure classifications, detection methodologies, and attempts to estimate the impact of these failures. He suggested that to reduce the frequency and impact of DNSSEC failures, more effort should be directed towards developing practical tools, DNSSEC support services, and detailed instructions for operators, and stressed the importance of comprehensive information sharing between stakeholders about past failures to prevent similar errors in the future.
