Home / Blogs

The Business Parallels Between IPv6 and DNSSEC

Bruce Van Nice

For two things that would seem to be completely unrelated there is an interesting parallel between IPv6 and DNSSEC. In both cases there is a misalignment of interests between content providers and service
providers. Content providers aren't highly motivated to deploy IPv6 because only a small proportion of users have v6 connectivity and even fewer only have v6. Service providers aren't anxious to deploy IPv6
 because there isn't a lot of content on v6, and virtually none exclusively on v6 — so they don't expand the universe of interesting stuff on the web by deploying IPv6. Basically the same things could be said about DNSSEC. Content providers don't sign their domains so there is little reason to validate; and no one is validating so there is little reason to sign, at least until recently. Fortunately this is starting to change on both fronts.

Depending on where you are in the world the shelves of IPv4 addresses are bare and so not taking some kind of transitional steps is no longer an option. The good news is there are a lot of choices. The bad news is… there are a lot of choices. In addition to dual stack, there are several flavors of carrier grade NATs — 444, DNS64/NAT64 and more, as well as various options for tunneling IPv4 traffic over IPv6 and vice versa; and more. The list is long due to the extraordinarily diverse network requirements and the many (many) years the industry has had to think about the problem and figure out ways to solve it.

Deployment of DNSSEC is also growing for several reasons. First, it is quickly becoming evident that it is deployable. Comcast proved validation can be done at massive scale and they've also signed several thousand domains. They not only better protect their end users but they got universally positive press coverage for their efforts (something most providers covet!). New applications that leverage the security infrastructure DNSSEC provides are another thing driving interest. For instance the IETF's work on DANE (DNS-based Authentication of Named Entities) — which would allow TLS keying material to be published and securely served within the DNS. Applications could be adapted to leverage the new infrastructure and potentially eliminate some of the shortcomings of the existing Certificate Authorities.

Other interesting ideas are popping up — like the ROVER (Route Origin Verification) proposal to store routing prefixes in the DNS and identify the authorized origin ASNs for those prefixes. All the ideas may not get adopted, but they demonstrate what is possible when a proven, ubiquitous, scalable infrastructure is available.

The industry is demonstrating innovation always prevails on the Internet. It's not yet clear what the prevalent methods for managing the shortage of IPv4 addresses will be, but there don't appear to be any visible detractors predicting imminent doom. The road to DNSSEC has also been long, but clever uses for a new secure infrastructure will go a long way toward paving the road.

IPv6 and DNSSEC represent a crucial moment in your network infrastructure. It's not everyday that major updates and structural changes to the network are on tap. Since there's investment involved it makes sense to build the new infrastructure with the future in mind, being sure essential network services like DNS and DHCP engines are capable of adapting quickly and supporting new applications that will leverage this new infrastructure.

By Bruce Van Nice, Director of Product Marketing at Nominum

Related topics: Cybersecurity, DNS, DNS Security, Internet Protocol, IP Addressing, IPv6


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


While DNSSEC might be appealing to technical Michele Neylon  –  Jun 13, 2012 5:57 PM PDT

While DNSSEC might be appealing to technical users I can't see it being adopted or there being any tangible demand for it until normal users can "see" it.

Last time I checked the only way to "see" DNSSEC was with a 3rd party plugin for Firefox.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative IPv4 trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Avenue4 Helps IPv4 Sellers and Buyers Gain Market Access, Overcome Complexities

Introduction to ACCELR/8 - Fast Lane to the IPv4 Market

Avenue4 Launches ACCELR/8, Transforming the IPv4 Market with Automated Order-Driven Trading

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider