Home / Blogs

The Business Parallels Between IPv6 and DNSSEC

Bruce Van Nice

For two things that would seem to be completely unrelated there is an interesting parallel between IPv6 and DNSSEC. In both cases there is a misalignment of interests between content providers and service
providers. Content providers aren't highly motivated to deploy IPv6 because only a small proportion of users have v6 connectivity and even fewer only have v6. Service providers aren't anxious to deploy IPv6
 because there isn't a lot of content on v6, and virtually none exclusively on v6 — so they don't expand the universe of interesting stuff on the web by deploying IPv6. Basically the same things could be said about DNSSEC. Content providers don't sign their domains so there is little reason to validate; and no one is validating so there is little reason to sign, at least until recently. Fortunately this is starting to change on both fronts.

Depending on where you are in the world the shelves of IPv4 addresses are bare and so not taking some kind of transitional steps is no longer an option. The good news is there are a lot of choices. The bad news is… there are a lot of choices. In addition to dual stack, there are several flavors of carrier grade NATs — 444, DNS64/NAT64 and more, as well as various options for tunneling IPv4 traffic over IPv6 and vice versa; and more. The list is long due to the extraordinarily diverse network requirements and the many (many) years the industry has had to think about the problem and figure out ways to solve it.

Deployment of DNSSEC is also growing for several reasons. First, it is quickly becoming evident that it is deployable. Comcast proved validation can be done at massive scale and they've also signed several thousand domains. They not only better protect their end users but they got universally positive press coverage for their efforts (something most providers covet!). New applications that leverage the security infrastructure DNSSEC provides are another thing driving interest. For instance the IETF's work on DANE (DNS-based Authentication of Named Entities) — which would allow TLS keying material to be published and securely served within the DNS. Applications could be adapted to leverage the new infrastructure and potentially eliminate some of the shortcomings of the existing Certificate Authorities.

Other interesting ideas are popping up — like the ROVER (Route Origin Verification) proposal to store routing prefixes in the DNS and identify the authorized origin ASNs for those prefixes. All the ideas may not get adopted, but they demonstrate what is possible when a proven, ubiquitous, scalable infrastructure is available.

The industry is demonstrating innovation always prevails on the Internet. It's not yet clear what the prevalent methods for managing the shortage of IPv4 addresses will be, but there don't appear to be any visible detractors predicting imminent doom. The road to DNSSEC has also been long, but clever uses for a new secure infrastructure will go a long way toward paving the road.

IPv6 and DNSSEC represent a crucial moment in your network infrastructure. It's not everyday that major updates and structural changes to the network are on tap. Since there's investment involved it makes sense to build the new infrastructure with the future in mind, being sure essential network services like DNS and DHCP engines are capable of adapting quickly and supporting new applications that will leverage this new infrastructure.

By Bruce Van Nice, Director of Product Marketing at Nominum

Related topics: DNS, DNS Security, Internet Protocol, IP Addressing, IPv6, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


While DNSSEC might be appealing to technical Michele Neylon  –  Jun 13, 2012 4:57 PM PST

While DNSSEC might be appealing to technical users I can't see it being adopted or there being any tangible demand for it until normal users can "see" it.

Last time I checked the only way to "see" DNSSEC was with a 3rd party plugin for Firefox.

To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines

DNS Security

Sponsored by


Sponsored by


Sponsored by