Disclaimer: Any mention of commercial products within NIST web pages is for information only; it does not imply recommendation or endorsement by NIST.

SNIP Vendor Participation Page

These pages are set up to give a brief description of the various software and hardware components that make up the SNIP domain.

On the left, there is a listing of the companies/organizations that have contributed software, or specialized hardware participating on the SNIP. These items are either donated, open source, or being run by the vendor within their organization. A brief description of the organization and what is being used is given for each contributor. This is not meant as an endorsement or a full evaluation, only an acknowledgment that the software/hardware component has been used (or is in current use) with the dnsops.gov and dnsops.biz domains.

On each individual page, there is a brief description of the hardware/software used and how it is being used on the SNIP. Any unique configuration and/or modification that was necessary for working with the SNIP is also listed, if necessary. In some cases the software is open source â€“ links to download the software are produced, as well as all product pages having links to developers for more information.

As new devices/software is added to the SNIP, these pages will be updated. Individual vendor pages will also be updated with new information as more experience or new features are encountered and tested.

What you should ask your vendors when planning for DNSSEC

The most important thing to consider when looking for products that implement DNSSEC is to know the current procedures for serving and maintaining the DNS within your particular organization. If you have a particular content management system for DNS, it is important that any new DNSSEC products or upgrades can work with your current process. Remember that DNSSEC requires some new procedures such as key generation, signing, and key management.

Also remember that DNSSEC is only as good as the data that is being signed and that DNSSEC is a data authentication mechanism. Considerations for protecting integrity and authenticity of the data is just as important as protecting the keys used to digitally sign that data. That may even require a re-design of an organization?s zone data management system beyond the addition of DNSSEC.

General:

Note that this only applies if the product performs some cryptographic operation (key generation, digital signing, validation, etc.). Some products may rely on third party libraries for cryptographic support. For example BIND uses OpenSSL libraries (by default) for cryptographic operations, so administrators must insure that the OpenSSL version they are using with BIND has been FIPS 140 certified.

Note that this is more important if the product will be used to deploy DNSSEC in networks that are managed using dynamic update, where signing keys must be kept online.

If your organization uses Microsoft AD for its LAN, it may require some interaction between AD and the DNSSEC product.

If it does crypto:

For Federal use, DNSSEC keys must all be 2048 bit RSA/SHA-1 or RSA/SHA-256. RSA/SHA-256 is relatively new to DNSSEC, so not all products may support it yet. However, RSA/SHA-1 must be present and the product must be able to generate 2048 bit (or larger) public-private key pairs. Refer to NIST SP 800-57 Part 1 for more information.

There is no requirement to use NSEC3 with DNSSEC, but administrators wishing to reduce the risk of zone walking should consider using NSEC3. More complete guidelines and tradeoffs of using NSEC3 is detailed in NIST SP 800-81r1. All validators should understand NSEC3 due to the fact that some large zones will be using NSEC3, so resolvers and validators will have to understand NSEC3 responses to fully function.

If the product does not do crypto, may be a way to integrate an HSM to do the cryptographic operations. This allows for a key to be adequately protected and still available for active servers.

SNIP Vendor Participation Page

What you should ask your vendors when planning for DNSSEC

General:

Does the product do DNSSEC according to the latest specification (RFC 4033, RFC 4034 and RFC 4035)?

Does the product have FIPS 140 certification?

Can this product be used to manage keys?

Can I serve/sign multiple zones using this product?

How do I manage zone data using this product? Would it require a complete re-design of current DNS management practices?

What kind of logging/debugging tools are available with this product? Does this product integrate with Microsoft Active Directory? What about other DHCP services?

If it does crypto:

Can I generate approved keys using this product?

Can this product generate NSEC and NSEC3 signed zones?

Is there an option to use a Hardware Security Module (HSM) with this product?