ISPs, particularly those with a large business customer-base can gain competitive advantage by addressing their customers increasing concerns with online security. They are certainly at a disadvantage by not addressing them!
DNSSEC protects against Man in the Middle and cache poisoning attacks, which can result in your customers being misdirected to malicious websites and/or disrupt their services that rely on DNS such as email and VOIP. Business customers are particularly concerned about the threat of data loss and may pay a premium for improved security.
But implementing and managing DNSSEC can be complicated, costly and time-consuming:
- All your zones need to be signed for DNSSEC to be effective – a big task for large networks
- DNSSEC keys need to be stored securely so that they cannot be changed maliciously
- Keys also need to be periodically updated – known as ‘key rollover’.
- Additional DNSSEC steps in DNS resolution may introduce unwanted latency
Key rollover is particularly complex and requires very careful administration. If you get it wrong, keys which are no longer valid remain cached in other DNS servers around the world or are not synchronised with your own upstream servers. In such cases, clients using DNSSEC would be unable to resolve your records. With lots to know and manage, manual key rollover is incredibly error-prone.
You need a solution that, like DNSBOX:
- Automates DNSSEC key management and rollover
- Automates zone signing for rapid implementation
- Makes it easy to store DNSSEC keys securely
- Uses a high performance resolver to mitigate the extra latency of DNSSEC requests
 |