ICANN calls for full DNSSEC deployment

Posted on February 27, 2019
by Mattias Geniar
« Back to blog overview


A few days ago, ICANN issued a statement where they call upon everyone to implement DNSSEC across their DNS infrastructure.

In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems.

One of the core features of DNS Spy is that it can notify you of any changes in your DNS records. If you made those yourself, you’ll see confirmation that your changes have been picked up by your nameservers. But if someone else made those changes, you might have fallen victim to a domain hijack.

We increase the visibility of domain hijacks, DNSSEC can prevent it altogether.

Public reports indicate that there is a pattern of multifaceted attacks utilizing different methodologies. Some of the attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers.

This particular type of attack, which targets the DNS, only works when DNSSEC is not in use.

There has long been a debate within the DNS community about the effectiveness of DNSSEC (and its added complexity). Now, with public backing of ICANN, there is new hope that DNSSEC can one again regain in popularity.

Note; our DNSSEC integration is still undergoing development, it will detect & rate KSK and ZSK records, but we lack deep integration to validate to full path. That’s coming in one of our future releases.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *