Jacques Latour provides a DNSSEC update.
Jacques Latour, CIRA’s Director, Information Technology, updates CIRA’s progress on DNSSEC in this post. This week, we reached a major milestone in implementing DNSSEC in .CA.
On January 21, CIRA published a signed .CA zone file. We have also submitted the .CA DS record to the Internet Assigned Numbers Authority (IANA).DNSSEC is an important set of extensions that provide an extra layer of security to the domain name system (DNS). It’s implementation is critical to ensure the continued safety and security of .CA. We wanted to create a comprehensive DNSSEC validation process, so we took a different approach to sign .CA that takes into account several known DNSSEC-related issues that affect its operation. Our approach addresses these issues, and we believe we have developed a resilient solution that will result in high availability/no outages. We created dual independent signing engines using Bind and OpenDNSSEC. There were a few challenges along the way. For example, Bind and OpenDNSSEC produce different, although valid signed zone files and both handle signing differently.
These challenges, though, were worth overcoming. The end product will not only be an improved system for .CA, but we’re blazing a new trail here – the global Internet community will benefit from this work. This milestone is the result of almost a year’s work, starting with the release of our DNSSEC Practice Statement for comment in February 2012. This document provides an operational outline of how we plan to develop, maintain and manage DNSSEC deployment for .CA. In September 2012, we held a key signing ceremony at our Ottawa office. At this ceremony, the cryptographic digital key that is used to secure the .CA zone was generated.
These steps provided the foundation for the next phase of our work, the publishing of the .CA zone file, which was completed this week. The next phase of CIRA’s work in implementing DNSSEC is to make the necessary upgrades to ready the registry system for transacting DNSSEC-enabled .CA domain names.
We expect this work to be complete in 2014. Once complete, CIRA will be able to register DNSSEC-enabled .CA domain names. Our next steps also include working with the Canadian Internet community to get them onside to implement DNSSEC in their systems. Once we have fully implemented DNSSEC, we will have reached a major milestone in ensuring .CA is among the safest top-level domains in the world. Should you have questions or concerns please do not hesitate to contact [email protected].
En tant qu’expert de la conception de solutions de pointe en matière de TI, Jacques a établi CIRA à titre de leader mondial parmi les registres de domaines (ccTLD). Il possède plus de 25 ans d’expérience dans les secteurs privé et sans but lucratif et, à titre de dirigeant principal des technologies à CIRA, il dirige actuellement les Labos, plaque tournante de l’innovation à CIRA, et assure le leadership et la direction de la gestion et de la sécurité du registre .CA et de son DNS sous-jacent.
Visionnaire de la communauté d’Internet, Jacques a dirigé l’élaboration du test de performance Internet de CIRA, est un ardent défenseur de l’adoption de l’IPv6 et représente le registre .CA sur le plan international en qualité de membre de divers groupes de travail et groupes consultatifs. Il participe à l’élaboration d’une nouvelle architecture canadienne d’Internet. Il a agi comme catalyseur pour la création d’une association nationale canadienne des IXP, CA-IX, et il siège au conseil d’administration du Manitoba Internet Exchange (MBIX) et du DNS-OARC. Jacques siège aussi au comité consultatif pour la sécurité et la stabilité de l’ICANN.
Jacques est diplômé à titre de technologue en génie électronique après des études au Collègue Algonquin. Il a également suivi avec succès les formations certifiantes ITIL (v3) Foundation et Agile ScrumMaster.
