Skip to main content
  • State of the Internet

DNSSEC update

Jacques Latour provides a DNSSEC update.
By Jacques Latour
Chief technology officer

Jacques Latour provides a DNSSEC update.

This week, we reached a major milestone in implementing DNSSEC in .CA.

On January 21, CIRA published a signed .CA zone file. We have also submitted the .CA DS record to the Internet Assigned Numbers Authority (IANA).DNSSEC is an important set of extensions that provide an extra layer of security to the domain name system (DNS). It’s implementation is critical to ensure the continued safety and security of .CA. We wanted to create a comprehensive DNSSEC validation process, so we took a different approach to sign .CA that takes into account several known DNSSEC-related issues that affect its operation. Our approach addresses these issues, and we believe we have developed a resilient solution that will result in high availability/no outages. We created dual independent signing engines using Bind and OpenDNSSEC. There were a few challenges along the way. For example, Bind and OpenDNSSEC produce different, although valid signed zone files and both handle signing differently.

These challenges, though, were worth overcoming. The end product will not only be an improved system for .CA, but we’re blazing a new trail here – the global Internet community will benefit from this work. This milestone is the result of almost a year’s work, starting with the release of our DNSSEC Practice Statement for comment in February 2012. This document provides an operational outline of how we plan to develop, maintain and manage DNSSEC deployment for .CA. In September 2012, we held a key signing ceremony at our Ottawa office. At this ceremony, the cryptographic digital key that is used to secure the .CA zone was generated.

These steps provided the foundation for the next phase of our work, the publishing of the .CA zone file, which was completed this week. The next phase of CIRA’s work in implementing DNSSEC is to make the necessary upgrades to ready the registry system for transacting DNSSEC-enabled .CA domain names.

We expect this work to be complete in 2014. Once complete, CIRA will be able to register DNSSEC-enabled .CA domain names. Our next steps also include working with the Canadian Internet community to get them onside to implement DNSSEC in their systems. Once we have fully implemented DNSSEC, we will have reached a major milestone in ensuring .CA is among the safest top-level domains in the world. 

About the author
Jacques Latour

As an expert in developing innovative, leading-edge IT solutions, Jacques has established CIRA as a global leader among ccTLD registries. He has 25+ years of experience in the private and not-for-profit sectors and as CIRA’s CTO,is currently leading CIRA Labs, CIRA’s innovation hub and providing leadership and direction for the management and security of the .CA registry and its underlying DNS.

A visionary in the Internet community, Jacques led the development of CIRA’s Internet Performance Test, is an outspoken advocate for the adoption of IPv6 and represents the .CA registry internationally as a member of a variety of working groups and advisory groups. He is committed to the development of a new Canadian Internet architecture. He has served as the catalyst for the creation of a national Canadian IXP association, CA-IX, and is a member of the Manitoba Internet Exchange’s (MBIX) and the DNS-OARC Board of Directors.  Jacques is also a member of ICANN’s Security and Stability Advisory Committee (SSAC).

Jacques holds an Electronics Engineering Technologist diploma from Algonquin College, is ITIL v3 Foundation certified and is a certified Agile ScrumMaster.