DNSSEC for Hardware Vendors

Find out what DNSSEC means for you and the steps you can take to support the success of DNSSEC.

As momentum for Domain Name System Security Extension (DNSSEC) builds, so does demand for DNSSEC-compatible Internet devices and hardware. Verisign is committed to working with interested hardware vendors to help determine and resolve compatibility risks.

Why Act Now What's Needed What to Consider Where to Start

Registrars, ISPs, and end users increasingly need networking equipment and other devices that support and are compatible with a DNSSEC-enabled environment.

Collectively, these entities represent a significant market opportunity for hardware vendors that move quickly to address this need. They also highlight the potential business risks that vendors face if their devices are not DNSSEC-compatible. From a wider perspective, these risks and opportunities underscore the vital role that hardware vendors play in the broadly successful deployment and adoption of DNSSEC.

DNSSEC can create a number of compatibility issues in networking equipment that supports DNS. Strategic planning, development, and manufacturing cycles that address these issues can take months, if not years. Hardware vendors need to plan, develop, test, and refine their products in order to provide for their customers' security needs.

By acting now, you reinforce your reputation for leadership and innovation in Internet security, differentiate yourself from competitors, and get a foothold in the DNSSEC-compatible device market.

Benefits for Hardware Vendors

By moving quickly to support the success of DNSSEC globally, you can:

  • Introduce upgrades and new products that are compatible with DNSSEC.
  • Help build your brand and reputation.
  • Maintain customers' trust and loyalty.
  • Attract and retain security-focused customers.
  • Increase Internet security for customers.
  • Protect your core business by enhancing trust in the Internet.
  • Exert leadership and influence to shape the future of DNSSEC.

DNSSEC introduces complex changes into the entire Internet ecosystem. To ensure that Internet users benefit from this added layer of Internet security, manufacturers of Internet infrastructure products such as firewalls, routers, and other network devices need to ensure that their equipment is compatible with DNSSEC. The proper operation of these products impacts virtually anyone who connects to the Internet, including enterprises, ISPs, home users, and other customers.

DNSSEC potentially impacts any device that examines Internet traffic at layers 3 to 7 of the Open Systems Interconnection (OSI) protocol stack. Compatibility issues may arise from the hardware itself or from how users have configured it. Research suggests that most small office/home office (SOHO) routers (in front of stub resolvers) appear to function properly in a DNSSEC-enabled environment. Enterprise-class firewalls (in front of recursive servers) present the biggest challenge.

Verisign is committed to helping you identify compatibility issues in your products and solutions. The following table provides recommendations for addressing some important considerations related to DNSSEC compatibility.

ISSUE: DNSSEC-ENABLED PACKETS ARE LARGER (> 512 BYTES) THAN TRADITIONAL DNS PACKETS.
Explanation: Historically, DNS messages have been carried by the User Datagram Protocol (UDP), and the original DNS standards restricted DNS packet size to 512 bytes. DNSSEC packets can contain public keys and digital signatures; as a result, DNSSEC packets are often larger than the historical maximum size of 512 bytes. Many legacy and some current networking devices may drop the larger DNSSEC packets Recommendation: Be aware of equipment limitations related to processing DNSSEC packets.
ISSUE: DNSSEC (ACTIVATION) WILL GENERATE MORE TCP TRAFFIC.
Explanation: Because of limitations in maximum transmission unit (MTU) size, UDP cannot always accommodate the size of DNSSEC packets. As a result, queries and responses fall back to using TCP, which causes more traffic and places a heavier burden on networking devices. In addition, some devices are not configured to allow DNS packets over TCP, or in some cases, devices might not support DNS over TCP at all. Recommendation: Make sure your equipment supports—and is configured to support—TCP.
ISSUE: DNSSEC (ACTIVATION) REQUIRES SUPPORT FOR EDNS0.
Explanation: Extension mechanisms for DNS (EDNS) is a set of DNS extensions first published in 1999. DNSSEC traffic relies on these extensions for additional signaling and to support DNS packets in UDP larger than 512 bytes. Some networking devices may not be able to process DNS packets with EDNS0. Recommendation: Make sure your equipment supports DNS packets with EDNS0.

Verisign wants to help you with device compatibility for DNSSEC. Consider the following steps to get started.

Evaluate and Plan

  • Review your existing products to understand their DNSSEC-related limitations and identify factory default settings.
  • Understand how DNSSEC fits into your product development strategy.
  • Establish a roadmap for developing products, upgrades, and enhancements that support DNSSEC.

Test

Test the compatibility of your network devices with DNSSEC behavior.

Explore and Educate

  • Understand the benefits and challenges that your customers experience when they implement DNSSEC.
  • Plan strategies to inform customers about the DNSSEC compatibility of your products.
  • Ensure that your IT and customer support staff receive training to handle DNSSEC-related issues.
  • Work with industry consortiums, standards bodies, and other software and hardware vendors to help develop solutions and approaches that meet the needs of your organization.


read moreread less

NEED MORE INFO?

Legal Notices// Privacy// Repository// Contact Us// Site Map


© 2011-2013 VeriSign, Inc. All rights reserved.
VERISIGN, the VERISIGN logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in other countries. All other trademarks are property of their respective owners.