Towards an industry best practice for DNSSEC automation | APNIC Blog Guest Post: DNSSEC adoption, while steadily rising, is still low after 20 years. Why care about DNSSEC adoption anyway?

If we want a more secure Internet by default, DNSSEC needs automation at scale.

Get a grasp of best current practice: blog.apnic.net/2026/02/25/t...

Standards like CDS/CDNSKEY already exist. Some ccTLDs have proven automated models work. What’s missing is broad, coordinated implementation — with support from bodies like ICANN.

The opportunity? Treat DNSSEC like TLS. Automation — similar to what Let's Encrypt did for HTTPS — can dramatically reduce friction, prevent errors, and accelerate adoption.

DNSSEC has been around for 20+ years — so why isn’t it everywhere yet?
Our new piece at APNIC highlights the real blocker: complex, manual processes that make deployment harder than it should be.

The Excruciating Slow Rise of DNSSEC: A Dialogue With Roy Arends About Myths, Realities and Hard Lessons DNSSEC promised to secure DNS with cryptographic proof, yet messy rollouts, outages, and hype backlash ruined its reputation. This piece argues that storytelling and emotions shape adoption as much as...

Deployment of technical standards is surprisingly emotional and narrative-driven. Can’t believe it? Here you go!
circleid.com/posts/the-ex...

#DNS #DNSSEC #CircleID

Quick call out to everyone: What do you think were pivotal moments in DNSSEC history (ones that shouldn’t be missing) and/or moments that were funny or could be staged in a funny way? Looking forward to your suggestions!
#DNSSEC #DNS #ICANN #IETF

In the near future, I will create a funny (but factually accurate) Fakebook on DNSSEC history. Think of it as a fictitious Facebook wall, on which any person, institution or entity imaginable (God, the DNS, the Objective Truth) can enter the stage as a contributor or commentator.

Still looking for good and/or silly ideas to nourish my Fakebook project (see below)! So, in case you should get all meditative and inventive under the Christmas tree (or whatever you do at this time of year), send me your thoughts (via comment or PM)!

Operational Recommendations for DS Automation Enabling support for automatic acceptance of DS parameters from the Child DNS operator (via RFCs 7344, 8078, 9615) requires the parent operator, often a registry or registrar, to make a number of tech...

And here's the draft in question: datatracker.ietf.org/doc/draft-ie...

Towards an Industry Best Practice for DS Automation YouTube video by DNS-OARC

At DNS-OARC 45, my colleague Peter Thomassen presented his updated draft on DNSSEC automation guidelines – that will maximize interoperability and minimize surprise. If that doesn’t sound like DNSSEC to your ears, go check it out!
www.youtube.com/watch?v=zQyr...

#DNS #DNSSEC #OARC45 #automation

Not sure about how to make people really engage with this line of thought, I chose the risky path of tricking the audience … And, not only did I get away with it, the talk was also voted favorite conference talk. Thanks so much!

#DNS #DNSSEC #OARC #OARC45 #image

Why image is worth having an eye on YouTube video by DNS-OARC

After making people laugh about DNSSEC at IETF 123’s traditional pecha kucha night, I was given the opportunity, at DNS-OARC 45, to talk about why it’s not a good idea to neglect the impact of image and emotions, even when dealing with technical DNS matters: www.youtube.com/watch?v=3HoH...

Greetings from Dublin, where we are attending #ICANN84!
Very interestingly, throughout the various stakeholder bodies, there seems to be a renewed interest in taking a fresh and nuanced view on DNSSEC’s usefulness, beyond black-or-white statements.
#DNSSEC #DNS

Today, at #ICANN84 in Dublin, my colleague Peter Thomassen presented his draft on DS automation guidelines during Tech Day and was well received. Everything is slowly falling into place 😉
#DNSSEC #DNS

#oarc45 #lovedns | DNS-OARC Why Image is Worth Having an Eye On Barbara Jantzen (deSEC e.V.) offers a witty take on how perception—not facts—has shaped DNSSEC’s reputation and deployment. #OARC45 #LoveDNS ^RP

On day 2, I was given the opportunity to talk about how image (and not only facts) can impact the assessment of technical issues, taking DNSSEC as an example.
Fun fact: I started my talk with an impersonation… risky, but worth it in the end 😉
bit.ly/4qhNdcD
#LoveDNS #OARC45 #ItsAlwaysDNS #DNSSEC

deSEC proposes DS automation guidelines for TLDs | DNS-OARC posted on the topic | LinkedIn Towards an Industry Best Practice for DS Automation Peter Thomassen (deSEC e.V.) proposes guidelines to standardize DS provisioning automation, aiming for predictability across TLDs. #OARC45 #LoveDN...

On day 1, my colleague Peter Thomassen presented his (and Steve Shengs) draft on DS automation guidelines, amended by the results of the previous day’s workshop discussion, and aiming at getting further feedback from the DNS community.
bit.ly/4nwdbGV
#LoveDNS #DNS #OARC45 #ItsAlwaysDNS #DNSSEC

Starting with a “pre-DNS-OARC 45” workshop (together with my collegue Peter Thomassen), aiming at crafting a consensual take on DS automation guidelines. Thanks to all the participants and to #Internetstiftelsen for providing a friendly location!
#LoveDNS #OARC45 #ItsAlwaysDNS #DNSSEC

My first DNS-OARC meeting: What a friendly, no-nonsense community full of smart and dedicated people!
#LoveDNS #OARC45 #ItsAlwaysDNS

Quick call out to everyone:
What do you think were pivotal moments in DNSSEC history (ones that shouldn’t be missing) and/or moments that were funny or could be staged in a funny way?
Looking forward to your suggestions!

#dnssec #dns #ICANN #IETF

In the near future, I will create a funny (but factually accurate) Fakebook on DNSSEC history. What that is? Well, think of it as a fictitious Facebook wall, on which any person, institution or entity imaginable (God, the DNS, the Objective Truth) can enter the stage as a contributor or commentator.

At the end of August, we consulted with GNSO TechOps, the technical representation group of gTLD registries and registrars, and discussed the current state of our guidelines document on DS automation: datatracker.ietf.org/doc/draft-sh...

#dnssec #dns #ICANN #IETF

At IETF 123, my collegue Peter also presented his new draft on DNSSEC automation guidelines.
Let’s make sure that things behave consistently even across TLDs! This will pave the way for DS automation in the gTLD space.
datatracker.ietf.org/meeting/123/...

#dnssec #dns #ICANN #IETF

IETF123 Bad Attitude Pecha Kucha -- Let's talk about problems: The image of DNSSEC YouTube video by Barbara@deSEC

www.youtube.com/watch?v=7mQ5...

So, can I make people laugh about DNSSEC?
I can 😉
PS: What do we learn from this experience ? People DO HAVE an emotional load regarding DNSSEC. And humor can lead the way to both a more lighthearted and a more factual stand on the matter.
#DNSSEC #IETF #pechakucha

Pecha Kucha means absolute liberty as to the subject you talk about, but at the same time absolute coercion as to timeframe and structure: 20 slides à 20 seconds each, 6:40 minutes in total – no more, no less.
I’m in! And wondering if I can make people laugh about DNSSEC…

#DNSSEC #IETF #pechakucha

ICANN 83 was a treat, but here comes July, and with it IETF123 and its by-now-traditional “Bad Attitude Pecha Kucha” event. Intriguing…!

June 2025: Greetings from Prague where we attended the ICANN 83 Policy Forum, witnessing most interesting talks and getting in touch with the DNSSEC-relevant crowd 😊

#dnssec #dns #ICANN #IETF

#icann #internet #icanngrantprogram | ICANN 📢 #ICANN is proud to announce the first cohort of recipients in the inaugural cycle of the ICANN Grant Program! The ICANN Board approved a slate of 23 projects aimed at advancing a single, open, globa...

www.linkedin.com/posts/icann_...

It all began with excellent news: We were awarded a grant from ICANN to fund our project (bit.ly/3FqNK9F).
Thanks to all people involved in the process! #DNSSEC #DNS #ICANN #IETF

Speaking of DRAMA, let’s have a quick look back at what has happened since it all began, or, to put it differently: “Previsously, on CDMGA*” 😉

*Closing the DNSSEC Maturity Gap through Automation

#dnssec #dns #ICANN #IETF

In our project, I’m tackling the communication issues, you could also say: I’m in charge of the DRAMA.

1) focus on how DNSSEC automation can solve implementation problems, and to take part in standardizing automation,
2) update the shared knowledge regarding DNSSEC’s current maturity (informing people’s choices on the matter) and
3) add a lighthearted touch 😉