[NA-Discuss] DNSSEC, was Statement on proposed amendments to RAA, version II

[John L]

> DNSSEC is a signed-domain security process ICANN has been studying. It's 
> expensive and costs would probably eventually be passed down to the user 
> community and registrants but if widely implemented it could go a long 
> way toward improving security and stability (in my opinion)

The expense is mostly in software upgrades, not something that I think is 
an overwhelming cost. If you've followed the recent news about DNS 
security holes, they're real, and DNSSEC appears to be the most practical 
countermeasure. DNSSEC works by having a chain of signatures, from zone to 
zone, ideally starting at the root but for now starting at a TLD.

A few ccTLD zones are currently signing with DNSSEC, I think Brazil and 
Sweden.  More relevantly, .ORG plans to start using DNSSEC within the next 
year.  Registrants who sign their own 2nd level domains need to pass their 
keys to the registry so the registry can include the necessary links in 
the TLD zone. Since the registrar is the only path from the registrant to 
the registry, this means that registrars have to support DNSSEC.  I gather 
that it's not that big a deal, basically a few more fields in the data 
they collect fromt the registrant and provide to the registry.

So we really do mean that that registrars should support DNSSEC.

R's,
John

PS: They should support the redemption period, too, with price caps, but 
that's a separate issue.