As DNSSEC adoption gains momentum, DNSSEC will likely become a registrar business imperative - driven by internal requirements such as risk management and consumer demand for a safer Internet experience.

Registrars play a key role in the success of DNSSEC. Some Internet service providers (ISPs) and .net/.com registrars are already working to deploy DNSSEC. Because DNSSEC implementation is a complex process, Verisign advocates a careful, methodical approach. Registrars need to get started soon in order to have ample time to plan, deploy, test and refine their DNSSEC implementation.

By acting now, registrars can establish themselves as thought leaders and role models, differentiate themselves from competitors and get a head start on new revenue opportunities. As early adopters, they may also be able to influence the development of products and services - and other industry initiatives - that support and benefit their business.

DNSSEC Benefits for Proactive Registrars
DNSSEC is a key ingredient in a layered approach to Internet security. By proactively adding this important layer, registrars can:

• Help protect registrants’ brand and customers.
• Maintain registrants’ trust and loyalty.
• Attract and retain security and reputation-focused registrants.
• Create new service offerings, such as zone signing for registrants.
• Open the door to using the DNS for new types of secure data transactions, e.g. publishing other types of public keys and authenticating email origin.
• Protect your core business by enhancing trust in the Internet.
• Exert leadership and influence to shape the future of DNSSEC.

DNSSEC introduces complex changes that affect all parties in the DNS query and resolution chain - especially registrars and other hosting entities that manage authoritative name servers and provide key management services for registrants. We have provided tools and will work with you to ensure your deployment of DNSSEC is successful.

To develop the new services that registrants will likely demand once DNSSEC is deployed, you will need to sign the registrants’ domain names. Enabling DNSSEC for a registrant involves creating private/public key pairs for the domain name, creating and signing the zone and managing the key pairs. These processes ensure that DNSSEC-enabled resolvers within the Internet ecosystem can verify the authenticity of responses received from the zone.

You will also need to modify the interface to your customers to accept DNSSEC key data and modify your Extensible Provisioning Protocol (EPP) interface to pass DNSSEC key data to the registries with which you interact.

Zone Signing
The following tasks are associated with setting up and signing a zone:

• Establish zone signing keys (ZSKs), which sign the records of the zone
• Establish key signing keys (KSKs), which sign the key records in the zone and help build the trust hierarchy
• Generate an unsigned zone
• Sign the zone
• Test the signing system in an offline test environment
• Phase in signing, for example, by using it on internal networks first, to ensure that everything continues to work properly

Ongoing Key Management
DNSSEC requires that you change private keys routinely to minimise the risk associated with a malicious actor potentially obtaining the key. A key rollover involves changing a zone’s key pair and resigning the zone with the new private key. If a KSK is rolled over, you will need to update the registry with the new public key information (DS records).

The following tasks are associated with key management:

• Handle key rollovers (scheduled and emergency) for ZSKs and KSKs
• Perform scheduled resigning of security-related resource records
• Update the parent zone with delegation signer (DS) records based on the KSKs

Additional Considerations
Hosting a signed zone requires the implementation of DNSSEC-compliant name servers. Managing the keys requires specialised DNSSEC hardware and software. Implementing and managing these components is a complex, time-consuming process. You have several options: Develop an in-house DNSSEC solution, purchase off-the-shelf DNSSEC-enabled DNS products, or work with a qualified managed services provider that performs DNSSEC signing and key management.

For an in-house or off-the-shelf solution, you will need to carefully plan and schedule the integration of new devices into your system. You should also test their implementation outside the production environment to ensure that devices operate properly when DNSSEC is enabled. The Verisign Operational Test Environment (OTE) is available for this purpose at no charge to .net and .com registrars.

You should also investigate whether your legacy and current networking devices can support DNSSEC. For example, can they handle DNSSEC packets, which can be larger than traditional packets, and do they support the Transmission Control Protocol (TCP) and extension mechanisms for DNS packets? One way to determine how well these components work with DNSSEC is to test them in the Verisign Interoperability Lab, which is also free of charge.

Registrars can take measured steps over time to reach their goal of a DNSSEC-enabled system that helps maintain the trust of registrants and end users, offers new revenue opportunities and provides a competitive advantage. Based on insights from industry experts and lessons learned through deploying DNSSEC in the root zone, .edu, .net and .com, we suggest the following steps to get started.

Explore and Educate

• Understand how DNSSEC fits into your cyber security strategy.
• Know the benefits and challenges of implementing DNSSEC.
• Understand public key cryptography, encryption standards and how digital signatures and public/private keys work together.
• Ensure that your IT and customer support staff receive appropriate training.
• Plan strategies to educate registrants about DNSSEC.

Plan

• Establish a timeline for adopting DNSSEC.
• Decide how you will integrate DNSSEC into your existing DNS architecture.
• Weigh your deployment options: in-house development, off-the-shelf DNSSEC-enabled DNS products, or managed services.

Evaluate and Update

• Determine what, if any, impact DNSSEC will have on network bandwidth. (DNSSEC increases network traffic.)
• Consider how DNSSEC will affect DNS management.
• Review and update key management policies and security to include schedules for key rollovers, reflect new roles and responsibilities that DNSSEC introduces and provide for secure storage of keys.
• Be sure your network is properly configured; be sure zone definitions are accurate and complete.
• Ask your hardware vendors where DNSSEC fits into their roadmap and whether upgrades are available for your existing network devices.
• Update DNS hardware and name server software as needed to be compatible with DNSSEC.
• Evaluate products and services that support your implementation.

Participate

• Sign up for the Verisign Registrar Forum.
• Use the Verisign Operational Test Environment (OTE), which allows you to test your DNSSEC implementation.
• Work with industry consortiums, standards bodies and software and hardware vendors to help develop solutions and approaches that meet the needs of your organisation.

Verisign is committed to driving down your DNSSEC implementation costs and helping you identify the best DNSSEC deployment strategy for your situation. We have developed a range of tools, services, support and other resources to assist you with DNSSEC deployment and management.

Verisign offers the following tools and services to facilitate DNSSEC implementation for the registrar community: