Home / Blogs

The Business Parallels Between IPv6 and DNSSEC

For two things that would seem to be completely unrelated there is an interesting parallel between IPv6 and DNSSEC. In both cases there is a misalignment of interests between content providers and service?providers. Content providers aren’t highly motivated to deploy IPv6 because only a small proportion of users have v6 connectivity and even fewer only have v6. Service providers aren’t anxious to deploy IPv6? because there isn’t a lot of content on v6, and virtually none exclusively on v6—so they don’t expand the universe of interesting stuff on the web by deploying IPv6. Basically the same things could be said about DNSSEC. Content providers don’t sign their domains so there is little reason to validate; and no one is validating so there is little reason to sign, at least until recently. Fortunately this is starting to change on both fronts.

Depending on where you are in the world the shelves of IPv4 addresses are bare and so not taking some kind of transitional steps is no longer an option. The good news is there are a lot of choices. The bad news is… there are a lot of choices. In addition to dual stack, there are several flavors of carrier grade NATs—444, DNS64/NAT64 and more, as well as various options for tunneling IPv4 traffic over IPv6 and vice versa; and more. The list is long due to the extraordinarily diverse network requirements and the many (many) years the industry has had to think about the problem and figure out ways to solve it.

Deployment of DNSSEC is also growing for several reasons. First, it is quickly becoming evident that it is deployable. Comcast proved validation can be done at massive scale and they’ve also signed several thousand domains. They not only better protect their end users but they got universally positive press coverage for their efforts (something most providers covet!). New applications that leverage the security infrastructure DNSSEC provides are another thing driving interest. For instance the IETF’s work on DANE (DNS-based Authentication of Named Entities)—which would allow TLS keying material to be published and securely served within the DNS. Applications could be adapted to leverage the new infrastructure and potentially eliminate some of the shortcomings of the existing Certificate Authorities.

Other interesting ideas are popping up—like the ROVER (Route Origin Verification) proposal to store routing prefixes in the DNS and identify the authorized origin ASNs for those prefixes. All the ideas may not get adopted, but they demonstrate what is possible when a proven, ubiquitous, scalable infrastructure is available.

The industry is demonstrating innovation always prevails on the Internet. It’s not yet clear what the prevalent methods for managing the shortage of IPv4 addresses will be, but there don’t appear to be any visible detractors predicting imminent doom. The road to DNSSEC has also been long, but clever uses for a new secure infrastructure will go a long way toward paving the road.

IPv6 and DNSSEC represent a crucial moment in your network infrastructure. It’s not everyday that major updates and structural changes to the network are on tap. Since there’s investment involved it makes sense to build the new infrastructure with the future in mind, being sure essential network services like DNS and DHCP engines are capable of adapting quickly and supporting new applications that will leverage this new infrastructure.

Filed Under


While DNSSEC might be appealing to technical Michele Neylon  –  Jun 14, 2012 12:57 AM

While DNSSEC might be appealing to technical users I can’t see it being adopted or there being any tangible demand for it until normal users can “see” it.

Last time I checked the only way to “see” DNSSEC was with a 3rd party plugin for Firefox.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign


Sponsored byDNIB.com


Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix