In support of our extensive DNS security offerings, DNS Security Extensions (DNSSEC) enable you to publish your namespace such that the validating resolvers can be assured that the data they receive purportedly from you has been indeed published on your DNS servers and that the data was not manipulated en route. In fact, DNSSEC is the only definitive solution identified for dangerous cache poisoning attacks.
DNSSEC, a necessary evil
Unfortunately, DNSSEC configuration and operation requires strong technical expertise not only for initial configuration but for ongoing monitoring and maintenance of signed zone data. Among these tasks are creation of key signing and zone signing keys, signing zone information and rolling keys. The Sapphire Sx20 and Sx10D hardware and virtual appliances from Diamond IP are secure DNSSEC appliances that automate key generation, zone signing, and key rollover based on your policies.
Diamond IP automates DNSSEC
The Sx models provide “set and forget” policy operation to automate the setup and ongoing management tasks associated with signed zones. The Sapphire Sx-series appliances can be deployed as standalone authoritative DNS appliances or in a multi-master pair. This intra- or inter-site redundancy enables seamless transitioning of signed zone integrity in the event of a failure of an Sx appliance or its corresponding site. Our unique dual corroboration technology facilitates reliable failover while minimizing flapping and flash key rollovers.
Security with centralized management
IPControl software from Diamond IP provides comprehensive DNS management for your signed and unsigned zones with support of all BIND option parameters, views, all resource record types and much more. Zones can be deployed to the Sapphire hardware or virtual Sx appliances for automated key and signature maintenance. IPControl also enables configuration of DNSSEC validation parameters for your stock BIND servers or Sapphire appliances serving as validating resolvers on behalf of your clients.