For two things that would seem to be completely unrelated there is an interesting parallel between IPv6 and DNSSEC. In both cases there is a misalignment of interests between content providers and service providers. Content providers aren't highly motivated to deploy IPv6 because only a small proportion of users have v6 connectivity and even fewer only have v6. Service providers aren't anxious to deploy IPv6 because there isn't a lot of content on v6, and virtually none exclusively on v6 — so they don't expand the universe of interesting stuff on the web by deploying IPv6. Basically the same things could be said about DNSSEC. Content providers don't sign their domains so there is little reason to validate; and no one is validating so there is little reason to sign, at least until recently. Fortunately this is starting to change on both fronts.
Depending on where you are in the world the shelves of IPv4 addresses are bare and so not taking some kind of transitional steps is no longer an option. The good news is there are a lot of choices. The bad news is… there are a lot of choices. In addition to dual stack, there are several flavors of carrier grade NATs — 444, DNS64/NAT64 and more, as well as various options for tunneling IPv4 traffic over IPv6 and vice versa; and more. The list is long due to the extraordinarily diverse network requirements and the many (many) years the industry has had to think about the problem and figure out ways to solve it.
Deployment of DNSSEC is also growing for several reasons. First, it is quickly becoming evident that it is deployable. Comcast proved validation can be done at massive scale and they've also signed several thousand domains. They not only better protect their end users but they got universally positive press coverage for their efforts (something most providers covet!). New applications that leverage the security infrastructure DNSSEC provides are another thing driving interest. For instance the IETF's work on DANE (DNS-based Authentication of Named Entities) — which would allow TLS keying material to be published and securely served within the DNS. Applications could be adapted to leverage the new infrastructure and potentially eliminate some of the shortcomings of the existing Certificate Authorities.
Other interesting ideas are popping up — like the ROVER (Route Origin Verification) proposal to store routing prefixes in the DNS and identify the authorized origin ASNs for those prefixes. All the ideas may not get adopted, but they demonstrate what is possible when a proven, ubiquitous, scalable infrastructure is available.
The industry is demonstrating innovation always prevails on the Internet. It's not yet clear what the prevalent methods for managing the shortage of IPv4 addresses will be, but there don't appear to be any visible detractors predicting imminent doom. The road to DNSSEC has also been long, but clever uses for a new secure infrastructure will go a long way toward paving the road.
IPv6 and DNSSEC represent a crucial moment in your network infrastructure. It's not everyday that major updates and structural changes to the network are on tap. Since there's investment involved it makes sense to build the new infrastructure with the future in mind, being sure essential network services like DNS and DHCP engines are capable of adapting quickly and supporting new applications that will leverage this new infrastructure.
By Bruce Van Nice, Director of Product Marketing at Nominum
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DDoS Protection
Neustar DNS Services
Minds + Machines