DNSSEC for Registrars

Registrars play a key role in the success of DNSSEC. Some internet service providers (ISPs) and .net/.com registrars are already deploying DNSSEC. Because DNSSEC implementation is a complex process, Verisign advocates a careful, methodical approach. Registrars need to get started soon in order to have ample time to plan, deploy, test and refine their DNSSEC implementation.

By acting now, you can establish yourself as a leader and security-conscious registrar, differentiate yourself from competitors, and get a head start on new revenue opportunities. You may also be able to influence the development of products and services - and other industry initiatives - that support and benefit your business.

Benefits for Proactive Registrars

By proactively adding this important layer, you can:

• Help protect registrants’ brand and customers.
• Maintain registrants’ trust and loyalty.
• Attract and retain registrants who are focused on security and reputation.
• Create new service offerings, such as zone signing for registrants.
• Open the door to using the DNS for new types of secure data transactions (e.g. publishing other types of public keys and authenticating e-mail origins).
• Protect your core business by enhancing trust in the internet.
• Exert leadership and influence to shape the future of DNSSEC.

DNSSEC introduces complex changes that affect all parties in the DNS query and resolution chain - especially registrars and other hosting entities that manage authoritative name servers and provide key management services for registrants. We have provided tools and will work with you to ensure your deployment of DNSSEC is successful.

To develop the new services that registrants are expected to demand once DNSSEC is deployed, you will need to sign the registrants' domain names. Enabling DNSSEC for a registrant involves the following:

• Creating private/public key pairs for the domain name.
• Creating and signing the zone.
• Managing the key pairs.

These processes ensure that DNSSEC-enabled resolvers within the internet ecosystem can verify the authenticity of responses received from the zone.

You will also need to modify the interface to your customers to accept DNSSEC key data, and modify your Extensible Provisioning Protocol (EPP) interface to pass DNSSEC key data to the registries you interact with.

Zone Signing
The following tasks are associated with setting up and signing a zone:

• Establish zone signing keys (ZSKs), which sign the records of the zone
• Establish key signing keys (KSKs), which sign the key records in the zone and help build the trust hierarchy
• Generate an unsigned zone
• Sign the zone
• Test the signing system in an offline test environment
• Phase in signing, for example, by using it on internal networks first, to ensure that everything continues to work properly

Ongoing Key Management
DNSSEC requires that you routinely change private keys to minimise the risk associated with a malicious actor potentially obtaining the key. A key rollover involves changing a zone’s key pair and resigning the zone with the new private key. If a KSK is rolled over, you will need to update the registry with the new public key information (DS records).

The following tasks are associated with key management:

• Handle key rollovers (scheduled and emergency) for ZSKs and KSKs
• Perform scheduled resigning of security-related resource records
• Update the parent zone with delegation signer (DS) records based on the KSKs

Additional Considerations
Hosting a signed zone requires the implementation of DNSSEC-compliant name servers. Managing the keys requires specialised DNSSEC hardware and software. Implementing and managing these components is a complex, time-consuming process. You have several options: develop an in-house DNSSEC solution, purchase off-the-shelf DNSSEC-enabled DNS products, or work with a qualified managed services provider that performs DNSSEC signing and key management.

For an in-house or off-the-shelf solution, you should carefully plan and schedule the integration of new devices into your system. You should also test their implementation outside the production environment to ensure that the devices operate properly when DNSSEC is enabled. The Verisign Operational Test Environment (OTE) is available for this purpose at no charge to .net and .com registrars.

You should also investigate whether your legacy and current networking devices can support DNSSEC. For example, can they handle DNSSEC packets, which can be larger than traditional packets, and do they support the Transmission Control Protocol (TCP) and extension mechanisms for DNS packets?

Registrars can take measured steps over time to reach their goal of a DNSSEC-enabled system that helps maintain the trust of registrants and end users, offers new revenue opportunities and provides a competitive advantage. Based on insights from industry experts and lessons learned from deploying DNSSEC in the root zone, .edu, .net and .com, we suggest the following steps to get started.

Explore and Educate

• Understand how DNSSEC fits into your cyber security strategy.
• Know the benefits and challenges of implementing DNSSEC.
• Understand public key cryptography, encryption standards and how digital signatures and public/private keys work together.
• Ensure that your IT and customer support staff receive appropriate training.
• Plan strategies to educate registrants about DNSSEC.

Plan

• Establish a timeline for adopting DNSSEC.
• Decide how you will integrate DNSSEC into your existing DNS architecture.
• Weigh your deployment options: in-house development, off-the-shelf DNSSEC-enabled DNS products, or managed services.

Evaluate and Update

• Determine what impact DNSSEC has on network bandwidth. (DNSSEC increases network traffic.)
• Consider how DNSSEC affects DNS management.
• Review and update key management policies and security to include schedules for key rollovers, reflect the new roles and responsibilities that DNSSEC introduces, and provide for secure storage of keys.
• Ensure your network is properly configured; ensure zone definitions are accurate and complete.
• Ask your hardware vendors where DNSSEC fits into their plans and whether upgrades are available for your existing network devices.
• Update DNS hardware and name server software as needed to be compatible with DNSSEC.
• Evaluate products and services that support your implementation.

Participate

• Sign up for the Verisign Registrar Forum.
• Use the Verisign Operational Test Environment (OTE), which allows you to test your DNSSEC implementation.
• Work with industry consortiums, standards bodies and software and hardware vendors to help develop solutions and approaches that meet the needs of your organisation.

Verisign is committed to driving down your DNSSEC implementation costs and helping you identify the best DNSSEC deployment strategy for your situation. We have developed the following tools and services to facilitate DNSSEC implementation for the registrar community:

• Help protect registrants’ brand and customers.
• Maintain registrants’ trust and loyalty.
• Attract and retain registrants who are focused on security and reputation.
• Create new service offerings, such as zone signing for registrants.
• Open the door to using the DNS for new types of secure data transactions (e.g. publishing other types of public keys and authenticating e-mail origins).
• Protect your core business by enhancing trust in the internet.
• Exert leadership and influence to shape the future of DNSSEC.

Verisign is committed to driving down your DNSSEC implementation costs and helping you identify the best DNSSEC deployment strategy for your situation. We have developed the following tools and services to facilitate DNSSEC implementation for the registrar community:

Find out if your website is DNSSEC enabled]]>