|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Automating DNSSEC
DNSSEC is a great answer to the DNS problem we're all concerned about, but deploying it in an ISP environment is not a trivial task.
ISP-Planet Managing Editor [August 5, 2008] |
 |
Greenwood, Colo.-based Secure64 has a solution that will make deploying DNSSEC easier. Joe Gersch, vice president of engineering at Secure64, explains that the product is there to help administrators of complicated environments, such as that of an ISP or webhost. "Especially if you have many zones (you could have thousands if you're in webhosting) you need to make DNSSEC as easy as psuhing the staple button (like Staples, "that was easy"). This removes barriers to widescale deployment."
So, if you've got a Linux machine running BIND, you install a Secure64 server as a signer. "Many service providers have spreadsheets or a database or an IP Address Management (IPAM) system or a home grown system to keep track of zones. Eventually, most build a zone file and put it on a BIND server. We sign that file and keep a hidden master."
Gersch explains that the secret master, the Secure64 server, keeps a hash, so that if even one bit changes, the cashing server will not accept the poisoned data. Generating keys takes time, but validating them is not too complex. "We can validate 6,000 per second."
SourceT
Secure64's product is based on something it calls SourceT. More secure than hardened Linux, it's a purpose built OS designed to be immune to rootkits and malware. Among those features, the Secure64 site lists: authenticated boot process (so that a modified version of the OS cannot run), hardware-protected memory compartments, independent read/write/execute privileges, and more.
Gersch emphasizes that the product does not require a rip and replace. "We can be your DNS server or pass on data to the existing ISP infrastructure. We want to fit into your infrastructure, not replace it."
Gersch claims that his competition isn't another company; it's open source scripts designed to make it easier to deploy DNSSEC, and he admits that depending on the size of the environment you're in charge of and your knowledge of the underlying technology, those scripts could be all you need.
He's posted some videos to youtube (with CC licensed rock music—if you're in an office, use headphones). The first, Protecting your business with DNSSEC, covers why you would deploy DNSSEC, and the second, Secure64 Tech Talk Series - Deploying DNSSEC, discusses how.
DNSSEC
DNSSEC is an IETF standard, supported by the work of many people, and also now supported in part by a grant from the U.S. government.
Gersch says that ISPs need to deploy the patch and need to get DNSSEC deployed too.
He adds that what Secure64 does is to make a complex activity much easier. Time is money, and the system automates what could be seven, eight, or nine manual steps foreach zone.
Pricing and availability
Secure64's products are available now. Pricing was not available at press time.
—End
| Related articles: | ||
| [Jan. 22, 2008] | NeuStar Offers to Manage Your DNS | |
| [Jan. 3, 2003] | Iceland's Best DNS Software | |
| [Aug. 1, 1999] | Rooting Out DNS Errors | |
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers