2011 Promises to be the Year of IPAM
Two major Internet industry events will occur in 2011 that will shape the future of Internet communications and potentially increase the technical scope of IP managers:
The signing particularly of the .com TLD will enable commercial organizations to greatly simplify the configuration of DNS security (DNSSEC). With the root zones having been signed since July, 2010, the signing of .com will enable commercial organizations beneath the .com zone to sign their zones with an unbroken chain of trust from their respective zones up to .com and finally to the root zone. Thus when you configure your DNS caching servers to authenticate DNS information via DNSSEC, you'll only need to configure the root zone public key as trusted-keys (technically as managed-keys within your BIND configuration so root zone key changes can be updated automatically).
Without this chain of trust you'd have to configure each signed zones' keys as trusted, vastly increasing DNS caching server configuration and administration.So TLD signing will simplify caching server configuration, but you'll still need to configure and manage the keys and signing of your external authoritative zones. Nevertheless, the road to wide-scale DNSSEC implementation will be vastly simplified when these TLDs are signed.
With time running out on the availability of IPv4 address space and the expected wider deployment of DNSSEC, 2011 will be the year to learn more about and begin making plans for IPv6 and DNSSEC deployment. Of course, you'll need to continue managing your current IP address space and DNS zones, signed and unsigned. Implementation of an IPAM solution can help keep IPv4, IPv6 and signed and unsigned DNS zone information organized and processes disciplined.
- Top level IPv4 address space exhaustion
- Top-level domain (TLD) zone signing
The signing particularly of the .com TLD will enable commercial organizations to greatly simplify the configuration of DNS security (DNSSEC). With the root zones having been signed since July, 2010, the signing of .com will enable commercial organizations beneath the .com zone to sign their zones with an unbroken chain of trust from their respective zones up to .com and finally to the root zone. Thus when you configure your DNS caching servers to authenticate DNS information via DNSSEC, you'll only need to configure the root zone public key as trusted-keys (technically as managed-keys within your BIND configuration so root zone key changes can be updated automatically).
Without this chain of trust you'd have to configure each signed zones' keys as trusted, vastly increasing DNS caching server configuration and administration.So TLD signing will simplify caching server configuration, but you'll still need to configure and manage the keys and signing of your external authoritative zones. Nevertheless, the road to wide-scale DNSSEC implementation will be vastly simplified when these TLDs are signed.
With time running out on the availability of IPv4 address space and the expected wider deployment of DNSSEC, 2011 will be the year to learn more about and begin making plans for IPv6 and DNSSEC deployment. Of course, you'll need to continue managing your current IP address space and DNS zones, signed and unsigned. Implementation of an IPAM solution can help keep IPv4, IPv6 and signed and unsigned DNS zone information organized and processes disciplined.
Hi Tim,
ReplyDeleteAlthough this is not related to IPAM, I have to add that the expansion of the generic top-level domain (gTLD) space will add another type of challenges to the existing DNS environment without counting all cost involved here.
Is a pleasure share this type of comments with you.
Anonymous ;)
Dear Anonymous,
ReplyDeleteThanks for your comment and you raise a great point! Certainly new gTLD DNS administrators will need to make plans for DNSSEC as well. Service providers supporting address allocation and DNS hosting will need to expand the breadth of domains they support. And enterprises seeking to enable website or email access in "native language" domains will need to look into IDNA (internationalized domain names for applications). Sounds like a great topic for my next post!
Sincerely,
Tim