imgSubHeaderWhyVerisignAlt
Innovation + Initiatives

As the Internet continues to expand, we are committed to creating and driving advancements that keep the Internet fast, safe and reliable for all users.

Hardware Vendors

As momentum for Domain Name System Security Extension (DNSSEC) builds, so does demand for DNSSEC-compatible Internet devices and hardware. Verisign is committed to working with interested hardware vendors to help determine and resolve compatibility risks. Find out what DNSSEC means for you, steps you can take to support the success of DNSSEC, and how the Verisign DNSSEC Interoperability Lab can help you understand your equipment’s behaviour in a DNSSEC-enabled environment.

Why Act Now

As DNSSEC adoption gains momentum, registrars, ISPs and end users will increasingly need networking equipment and other devices that support and are compatible with a DNSSEC-enabled environment.

Collectively, these entities represent a significant market opportunity for hardware vendors that move quickly to address this need. They also highlight the potential business risks that vendors face if their devices are not DNSSEC-compatible. From a wider perspective, these risks and opportunities underscore the vital role that hardware vendors play in the broadly successful deployment and adoption of DNSSEC.

DNSSEC can create a number of compatibility issues in networking equipment that supports DNS. Strategic planning, development and manufacturing cycles that address these issues can take months, if not years. Hardware vendors need to get started soon in order to have ample time to plan, develop, test and refine their products.

By acting now, hardware vendors can reinforce their reputation for leadership and innovation in Internet security, differentiate themselves from competitors and get an early foothold in the DNSSEC-compatible device market. As early adopters, they may also be able to influence the development of technical standards that support and benefit their business.

DNSSEC Benefits for Proactive Hardware Vendors

DNSSEC is a key ingredient in a layered approach to Internet security. By moving quickly to support the success of DNSSEC globally, you can:

  • Introduce upgrades and new products that are compatible with DNSSEC.
  • Help build your brand and reputation.
  • Maintain customer trust and loyalty.
  • Attract and retain security-focused customers.
  • Increase Internet security for customers.
  • Protect your core business by enhancing trust in the Internet.
  • Exert leadership and influence to shape the future of DNSSEC.

1 Nominet and Core Competence, Test Report: DNSSEC Impact on Broadband Routers and Firewalls, September 2008.

What’s Needed

DNSSEC introduces complex changes into the entire Internet ecosystem. To ensure that Internet users benefit from this added layer of Internet security, manufacturers of Internet infrastructure products such as firewalls, routers and other network devices need to ensure that their equipment is compatible with DNSSEC. The proper operation of these products impacts virtually anyone who connects to the Internet, including enterprises, ISPs, home users and other customers.

We invite you to test your equipment in our DNSSEC Interoperability Lab. The Lab is free of charge and will give you a quick but comprehensive view of how your equipment will interact in a DNSSEC-enabled environment.

Compatibility Considerations

DNSSEC potentially impacts any device that examines Internet traffic at layers 3 to 7 of the Open Systems Interconnection (OSI) protocol stack. Compatibility issues may arise from the hardware itself or from how users have configured it. Research suggests that most small office/home office (SOHO) routers (in front of stub resolvers) appear to function properly in a DNSSEC-enabled environment. Enterprise-class firewalls (in front of recursive servers) present the biggest challenge.

Verisign is committed to helping you identify compatibility issues in your products and solutions. The following table provides recommendations for addressing some important considerations related to DNSSEC compatibility.

Issue: DNSSEC-enabled packets are larger (> 512 bytes) than traditional DNS packets.
Explanation: Historically, DNS messages have been carried by the User Datagram Protocol (UDP) and the original DNS standards restricted DNS packet size to 512 bytes. DNSSEC packets can contain public keys and digital signatures; as a result DNSSEC packets are often larger than the historical maximum size of 512 bytes. Many legacy and some current networking devices may drop the larger DNSSEC packets Recommendation: Be aware of equipment limitations related to processing DNSSEC packets.
Issue: DNSSEC (activation) will generate more TCP traffic.
Explanation: Because of limitations in maximum transmission unit (MTU) size, UDP cannot always accommodate the size of DNSSEC packets. As a result, queries and responses fall back to using TCP, which causes more traffic and places a heavier burden on networking devices. In addition, some devices are not configured to allow DNS packets over TCP, or in some cases, devices might not support DNS over TCP at all. Recommendation: Make sure your equipment supports - and is configured to support - TCP.
Issue: DNSSEC (activation) requires support for EDNS0.
Explanation: Extension mechanisms for DNS (EDNS) is a set of DNS extensions first published in 1999. DNSSEC traffic relies on these extensions for additional signalling and to support DNS packets in UDP larger than 512 bytes. Some networking devices may not be able to process DNS packets with EDNS0. Recommendation: Make sure your equipment supports DNS packets with EDNS0.

Where to Start

Verisign wants to help you with device compatibility for DNSSEC. Consider the following steps to get started. And, be sure to bring your solutions into our DNSSEC Interoperability Lab to test the compatibility of networking devices in a DNSSEC-enabled environment. The lab is free of charge.

Evaluate and Plan

  • Review your existing products to understand their DNSSEC-related limitations and identify factory default settings.
  • Understand how DNSSEC fits into your product development strategy.
  • Establish a roadmap for developing products, upgrades, and enhancements that support DNSSEC.

Test
Use the Verisign DNSSEC Interoperability Lab to test the compatibility of your network devices with DNSSEC behaviour.

Explore and Educate

  • Understand the benefits and challenges that your customers experience when they implement DNSSEC.
  • Plan strategies to inform customers about the DNSSEC compatibility of your products.
  • Ensure that your IT and customer support staff receive training to handle DNSSEC-related issues.
  • Work with industry consortiums, standards bodies and other software and hardware vendors to help develop solutions and approaches that meet the needs of your organisation.

Need more info?

Call +442030064194
Email or Chat with Customer Support.

Legal Notices//Privacy//Repository//Contact Us//Feedback//Site Map


© 2011-2012 VeriSign, Inc. All rights reserved.
VERISIGN, the VERISIGN logo and other trademarks, service marks and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.