As the Internet continues to expand, we are committed to creating and driving advancements that keep the Internet fast, safe, and reliable for all users.
ISPs
Domain Name System Security Extension (DNSSEC) enables ISPs to offer added value to the thousands of customers who rely on a secure Internet experience to work, learn, play, and interact. Verisign is committed to working with ISPs to simplify and standardize DNSSEC. Find out what DNSSEC means for you, steps you can take to prepare for DNSSEC, and how Verisign tools, information, and other resources can help you effectively plan, test, and enable DNSSEC.
Given the increased awareness of DNS threats and the trajectory of other Internet security initiatives such as Secure Sockets Layer, DNSSEC has become an ISP business imperative—driven by internal requirements such as risk management and consumer demand for a safer Internet experience.
By acting now, you can better protect your customers, reinforce your reputation for leadership in customer protection and Internet security, and differentiate yourself from competitors. As an early adopter, you may also be able to influence the development of products and services—and other industry initiatives—that support and benefit your business.
Benefits for Proactive ISPs
By proactively adding this important layer, you can:
- Help mitigate the risk of your customers becoming victims of cyber crime
- Help protect and build your brand and reputation
- Maintain your customers' trust and loyalty
- Offer a more secure Internet experience as part of your value proposition to customers
- Attract and retain security-focused customers
- Protect your core business by enhancing trust in the Internet
- Exert your leadership and influence to shape the future of DNSSEC
ISPs play an essential role in the functioning of the Internet and in the success of DNSSEC. The recursive name servers (resolvers) that ISPs manage help Internet users quickly resolve domain names millions of times per day. Recursive name servers are also the main vector for cache poisoning.
DNSSEC-enabled recursive name servers help prevent cache poisoning in the following way: When a recursive name server requests DNS information from a zone’s authoritative server and the zone is signed, the recursive name server also requests the zone’s DNSSEC key so that it can verify that the information it received is identical to the information on the authoritative server.
To help propagate DNSSEC throughout the Internet ecosystem, you need to enable DNSSEC on your recursive name servers and ensure compatibility of your network infrastructure (e.g., firewalls, routers, switches, and load balancers) with the larger DNS responses that DNSSEC generates. Over time, you can incorporate DNSSEC into your development and testing cycles. ISPs that provide DNS hosting services also need to enable DNSSEC functionality for these services.
Most commercially available recursive name servers already support DNSSEC and require only an update or parameter change. However you may have to upgrade or replace legacy name servers and existing networking devices.
Verisign is committed to helping you identify the best DNSSEC deployment strategy for your situation.
The following table provides recommendations for addressing some important issues associated with DNSSEC implementation.
| Issue: Older versions of name server software do not support DNSSEC. | |
|---|---|
| Explanation: DNS has been a very resilient platform. As a result, administrators may not have updated name server software very often. Some name server software—including legacy versions of BIND—will not support DNSSEC. | Recommendation: Review your name servers and upgrade to a version that supports the DNSSEC protocol and RSA-SHA256, NSEC, and NSEC3. Consider the following DNSSEC-compatible versions: BIND 9.9.0, 9.81-p1, 9.7.4-p1 and Unbound 1.4.16 |
| Issue: DNSSEC-enabled packets are larger (> 512 bytes) than traditional packets. | |
| Explanation: DNSSEC packets are larger than traditional packets and contain different information. DNSSEC-compatible name server software may increase a server’s resource usage. Larger packets will increase capacity requirements for the CPU, server memory, and bandwidth for ISP operation. | Recommendation: Review the hardware that your name servers run on to ensure that the servers are prepared for the increased load. |
| Issue: Recursive name servers require that validation is "turned on." | |
| Explanation: To provide DNSSEC functionality to your customers, you must activate DNSSEC validation on recursive name servers. | Recommendation: Evaluate and decide whether to "turn on" validation. Then set up and maintain a DNSSEC-aware validating recursive name server. |
| Issue: DNSSEC will increase DNS management responsibilities for system administrators. | |
| Explanation: System administrators responsible for DNS operations will need to conduct periodic trust maintenance and update the public key (used for DNSSEC authentication) when root zone operators roll over new public/private key pairs for digital signatures. | Recommendation: Be sure that system administrators managing your DNS operations are well-versed in the concepts of DNSSEC and trust anchor maintenance. Provide technical training and increase familiarity with available tools. |
| Issue: End users will encounter DNSSEC validation failures. | |
| Explanation: A significant concern for ISPs and the Internet community is the end user experience when fraudulent DNS data is detected or name resolution fails because the digital signatures used to authenticate DNS have expired. | Recommendation: Educate and train your customer support team so they know how to diagnose and explain such failures to your user base. Collaborate with Verisign, other ISPs, and other participants in the Internet ecosystem to find a standardized solution to this issue. |
You can take measured steps to reach your goal of a DNSSEC-enabled system that helps maintain the trust of end users and provides a competitive advantage. Based on lessons learned through working with registrars and ISPs and working to deploy DNSSEC in the root zone, .edu, .net, and .com, we suggest the following steps to get started.
Explore and Educate
- Understand how DNSSEC fits into your cyber security strategy.
- Know the benefits and challenges of implementing DNSSEC.
- Understand public key cryptography, encryption standards, and how digital signatures and public/private keys work together.
- Ensure that your IT and customer support staff receive training to handle DNSSEC-related issues.
- Leverage Verisign resources, and plan strategies to inform customers about DNSSEC.
Plan
- Establish a timeline for adopting DNSSEC.
- Decide how you will integrate DNSSEC into your existing DNS architecture.
- Create policies and processes to systematize integration of public key updates from registrars or other trust anchors.
Evaluate and Update
- Take inventory and review your infrastructure; for example, note what version of BIND or Unbound DNS software you are running and determine whether name servers support NSEC3 and SHA-256.
- Determine what, if any, impact DNSSEC will have on network bandwidth (Larger DNSSEC packets increase network traffic.)
- Consider how DNSSEC will affect management of recursive name servers.
- Ask your hardware vendors where DNSSEC fits into their roadmap and whether upgrades are available for your existing network devices.
- Evaluate products and services that support your implementation.
- Update DNS hardware and name server software, as needed, to be compatible with DNSSEC.
Participate
- Work with industry consortiums, standards bodies, and software and hardware vendors to help develop solutions and approaches that meet the needs of your organization.
- Collaborate and strategize to address the end user experience when DNSSEC detects "bad" data.