On September 14th, AFNIC kicked off deployment of DNSSEC in France by signing the .fr Top Level Domain. Backed by extensive experience and assignments as registry of the .fr TLD, AFNIC plays a strategic role in the introduction of the security protocol in the DNS in France. The deployment must now be pursued by DNS servers administrators, registrars and ISPs.
DNSSEC is a protocol designed to help secure the DNS against attacks by cache poisoning. The purpose of such attacks is to capture and divert requests without users realising it, the risk being that users may disclose personal data in the belief that they are on the legitimate site.
Since the disclosure of the "Kaminsky flaw" in 2008, a number of registries have agreed to accelerate the work already underway on implementing DNSSEC. The root of the DNS was signed in July 2010. To date, a dozen registries have already signed their TLDs and this figure will increase in coming months.
In the next few days, the public key associated with the .fr TLD will be published in the root servers. As of next week, AFNIC will start consultations with the registrars, in order to set up the system enabling them to publish the signature information for domain names under .fr, such as afnic.fr.
The work of AFNIC will then continue with the set-up of training and assistance services for registrars and DNS server administrators wishing in turn to deploy DNSSEC. For their benefit, AFNIC is also publishing a comprehensive issue paper devoted to DNSSEC issues and operation, with the questions to ask in order to prepare its deployment.
Finally, from September 20th, onwards, AFNIC will be releasing version 3 of "ZoneCheck", its DNS configuration test tool, a free software tool that integrates DNSSEC configuration tests, and is available on www.zonecheck.fr.
The real challenge facing the success of DNSSEC depends on its adoption by the registrars, ISPs and all the structures managing their own DNS servers. Without that wide-scale acceptance, the chain of trust will not be established and DNSSEC will only have a limited impact.