Home / Blogs

The Business Parallels Between IPv6 and DNSSEC

Bruce Van Nice

For two things that would seem to be completely unrelated there is an interesting parallel between IPv6 and DNSSEC. In both cases there is a misalignment of interests between content providers and service
providers. Content providers aren't highly motivated to deploy IPv6 because only a small proportion of users have v6 connectivity and even fewer only have v6. Service providers aren't anxious to deploy IPv6
 because there isn't a lot of content on v6, and virtually none exclusively on v6 — so they don't expand the universe of interesting stuff on the web by deploying IPv6. Basically the same things could be said about DNSSEC. Content providers don't sign their domains so there is little reason to validate; and no one is validating so there is little reason to sign, at least until recently. Fortunately this is starting to change on both fronts.

Depending on where you are in the world the shelves of IPv4 addresses are bare and so not taking some kind of transitional steps is no longer an option. The good news is there are a lot of choices. The bad news is… there are a lot of choices. In addition to dual stack, there are several flavors of carrier grade NATs — 444, DNS64/NAT64 and more, as well as various options for tunneling IPv4 traffic over IPv6 and vice versa; and more. The list is long due to the extraordinarily diverse network requirements and the many (many) years the industry has had to think about the problem and figure out ways to solve it.

Deployment of DNSSEC is also growing for several reasons. First, it is quickly becoming evident that it is deployable. Comcast proved validation can be done at massive scale and they've also signed several thousand domains. They not only better protect their end users but they got universally positive press coverage for their efforts (something most providers covet!). New applications that leverage the security infrastructure DNSSEC provides are another thing driving interest. For instance the IETF's work on DANE (DNS-based Authentication of Named Entities) — which would allow TLS keying material to be published and securely served within the DNS. Applications could be adapted to leverage the new infrastructure and potentially eliminate some of the shortcomings of the existing Certificate Authorities.

Other interesting ideas are popping up — like the ROVER (Route Origin Verification) proposal to store routing prefixes in the DNS and identify the authorized origin ASNs for those prefixes. All the ideas may not get adopted, but they demonstrate what is possible when a proven, ubiquitous, scalable infrastructure is available.

The industry is demonstrating innovation always prevails on the Internet. It's not yet clear what the prevalent methods for managing the shortage of IPv4 addresses will be, but there don't appear to be any visible detractors predicting imminent doom. The road to DNSSEC has also been long, but clever uses for a new secure infrastructure will go a long way toward paving the road.

IPv6 and DNSSEC represent a crucial moment in your network infrastructure. It's not everyday that major updates and structural changes to the network are on tap. Since there's investment involved it makes sense to build the new infrastructure with the future in mind, being sure essential network services like DNS and DHCP engines are capable of adapting quickly and supporting new applications that will leverage this new infrastructure.

By Bruce Van Nice, Director of Product Marketing at Nominum

Related topics: DNS, DNS Security, Internet Protocol, IP Addressing, IPv6, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

While DNSSEC might be appealing to technical Michele Neylon  –  Jun 13, 2012 5:57 PM PDT

While DNSSEC might be appealing to technical users I can't see it being adopted or there being any tangible demand for it until normal users can "see" it.

Last time I checked the only way to "see" DNSSEC was with a 3rd party plugin for Firefox.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Dyn Acquires Managed DNS Provider Nettica

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Sponsored Topics