imgSubHeaderWhyVerisignAlt
Innovation + Initiatives

As the Internet continues to expand, we are committed to creating and driving advancements that keep the Internet fast, safe and reliable for all users.

ISPs

Domain Name System Security Extension (DNSSEC) enables ISPs to offer added value to the thousands of customers who rely on a secure Internet experience to work, learn, play and interact. Verisign is committed to working with ISPs to simplify and standardise DNSSEC. Find out what DNSSEC means for you, the steps you can take to prepare for DNSSEC and how Verisign tools, information and other resources can help you effectively plan, test and enable DNSSEC.

Why Act Now

DNSSEC adoption is gaining momentum. Given the increasing awareness of DNS threats and the trajectory of other Internet security initiatives such as Secure Sockets Layer, it is likely that DNSSEC will become an ISP business imperative - driven by internal requirements such as risk management and consumer demand for a safer Internet experience.

As the managers of the recursive name servers that respond to name resolution requests, ISPs play a key role in enabling an extra layer of security for Internet users. Some large ISPs and some registrars already have DNSSEC implementation on their roadmap. Because DNSSEC implementation is a complex process, Verisign advocates a careful, methodical approach. ISPs need to get started soon in order to have ample time to plan, deploy, test and refine their DNSSEC implementation.

By acting now, ISPs can better protect their customers, reinforce their reputation for leadership in customer protection and Internet security and differentiate themselves from competitors. As early adopters, they may also be able to influence the development of products and services - and other industry initiatives - that support and benefit their business.

DNSSEC Benefits for Proactive ISPs
DNSSEC is a key ingredient in a layered approach to Internet security. By proactively adding this important layer, you can:

  • Help mitigate the risk of your customers becoming victims of cyber crime
  • Help protect and build your brand and reputation
  • Maintain customer trust and loyalty
  • Offer a more secure Internet experience as part of your value proposition to customers
  • Attract and retain security-focused customers
  • Protect your core business by enhancing trust in the Internet
  • Exert leadership and influence to shape the future of DNSSEC

What to Do

ISPs play an essential role in the functioning of the Internet and in the success of DNSSEC. The recursive name servers (resolvers) that ISPs manage help Internet users quickly resolve domain names millions of times per day. Recursive name servers are also the main vector for cache poisoning.

DNSSEC-enabled recursive name servers help prevent cache poisoning in the following way: When a recursive name server requests DNS information from a zone’s authoritative server and the zone is signed, the recursive name server also requests the zone’s DNSSEC key so that it can verify that the information it received is identical to the information on the authoritative server.

To help propagate DNSSEC throughout the Internet ecosystem, you will need to enable DNSSEC on your recursive name servers and ensure compatibility of your network infrastructure (e.g. firewalls, routers, switches and load balancers) with the larger DNS responses that DNSSEC generates. Over time, you can incorporate DNSSEC into your development and testing cycles. ISPs that provide DNS hosting services will also need to enable DNSSEC functionality for these services.

Most commercially available recursive name servers already support DNSSEC and require only an update or parameter change. However you may have to upgrade or replace legacy name servers and existing networking devices. To determine what impact, if any, DNSSEC will have on your enterprise infrastructure components, you can arrange for testing in the Verisign DNSSEC Interoperability Lab.

What to Consider

Verisign is committed to helping you identify the best DNSSEC deployment strategy for your situation.

The following table provides recommendations for addressing some important issues associated with DNSSEC implementation.

Issue: Older versions of name server software do not support DNSSEC.
Explanation: DNS has been a very resilient platform. As a result, administrators may not have updated name server software very often. Some name server software - including legacy versions of BIND - will not support DNSSEC. Recommendation: Review your name servers and upgrade to a version that supports the DNSSEC protocol and RSA-SHA256, NSEC and NSEC3.

Consider the following DNSSEC-compatible versions: BIND 9.6.2 and Unbound 1.4.0
Issue: DNSSEC-enabled packets are larger (> 512 bytes) than traditional packets.
Explanation: DNSSEC packets are larger than traditional packets and contain different information. DNSSEC-compatible name server software may increase a server’s resource usage. Larger packets will increase capacity requirements for the CPU, server memory and bandwidth for ISP operation. Recommendation: Review the hardware that your name servers run on to ensure that the servers are prepared for their increased load.
Issue: Recursive name servers require that validation is “turned on.”
Explanation: To provide DNSSEC functionality to your customers, you must activate DNSSEC validation on recursive name servers. Recommendation: Evaluate and decide whether to “turn on” validation. Then set up and maintain a DNSSEC-aware validating recursive name server.
Issue: DNSSEC will increase DNS management responsibilities for system administrators.
Explanation: System administrators responsible for DNS operations will need to conduct periodic trust maintenance and update the public key (used for DNSSEC authentication) when root zone operators roll over new public/private key pairs for digital signatures. Recommendation: Be sure that system administrators managing your DNS operations are well-versed in the concepts of DNSSEC and trust anchor maintenance. Provide technical training and increase familiarity with available tools.
Issue: End users will encounter DNSSEC validation failures.
Explanation: A significant concern for ISPs and the Internet community is the end user experience when fraudulent DNS data is detected or name resolution fails because the digital signatures used to authenticate DNS have expired. Recommendation: Educate and train your customer support team so they know how to diagnose and explain such failures to your user base. Collaborate with Verisign, other ISPs, and other participants in the Internet ecosystem to find a standardised solution to this issue.

Where to Start

You can take measured steps to reach your goal of a DNSSEC-enabled system that helps maintain the trust of end users and provides a competitive advantage. Based on lessons learned through working with registrars and ISPs and working to deploy DNSSEC in the root zone, .edu, .net and .com, we suggest the following steps to get started.

Explore and Educate

  • Understand how DNSSEC fits into your cyber security strategy.
  • Know the benefits and challenges of implementing DNSSEC.
  • Understand public key cryptography, encryption standards and how digital signatures and public/private keys work together.
  • Ensure that your IT and customer support staff receive training to handle DNSSEC-related issues.
  • Leverage Verisign resources and plan strategies to inform customers about DNSSEC.

Plan

  • Establish a timeline for adopting DNSSEC.
  • Decide how you will integrate DNSSEC into your existing DNS architecture.
  • Create policies and processes to systematise integration of public key updates from registrars or other trust anchors.

Evaluate and Update

  • Take inventory and review your infrastructure; for example, note what version of BIND or Unbound DNS software you are running and determine whether name servers support NSEC3 and SHA-256.
  • Determine what, if any, impact DNSSEC will have on network bandwidth (Larger DNSSEC packets increase network traffic.)
  • Consider how DNSSEC will affect management of recursive name servers.
  • Ask your hardware vendors where DNSSEC fits into their roadmap and whether upgrades are available for your existing network devices.
  • Evaluate products and services that support your implementation.
  • Update DNS hardware and name server software, as needed, to be compatible with DNSSEC.

Participate

  • Use the Verisign DNSSEC Interoperability Lab to test the compatibility of your network devices with DNSSEC.
  • Work with industry consortiums, standards bodies and software and hardware vendors to help develop solutions and approaches that meet the needs of your organisation.
  • Collaborate and strategize to address the end user experience when DNSSEC detects “bad” data.

Need more info?

Call +442030064194
Email or Chat with Customer Support.

Legal Notices//Privacy//Repository//Contact Us//Feedback//Site Map


© 2011-2012 VeriSign, Inc. All rights reserved.
VERISIGN, the VERISIGN logo and other trademarks, service marks and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.