Security and Stability Advisory Committee (SSAC)

The SSAC is a volunteer group of specialists in the technical security field that provides advice and insight to the ICANN community and the Board.

Survey of DNSSEC Capable DNS Implementations

Updated 15 July 2008

Background  |  Methodology  |  Survey Questions  |  Survey Results  |  Disclaimer

Background

SAC 026 [PDF, 29 KB], SSAC Statement to ICANN and Community on Deployment of DNSSEC, identifies issues have been exposed with respect to DNSSEC and recommends actions IANA, registries, registrars, and ICANN should take to improve the security of the DNS through the deployment of DNS Security Extensions. In the Statement, SSAC indicated that it would study the availability of DNSSEC on commonly used DNS server platforms. This page identifies the method SSAC adopted to conduct the survey, the survey questions, and collates the survey responses in tabular form.

Methodology

SSAC members identified approximately 40 commercial and open source DNS implementations. Members obtained contact information for companies providing commercial DNSproducts and open source developers. The committee authorized David Piscitello to send email messages explaining the purpose of the survey to these contacts.The email message asked a set of DNSSEC implementation survey questions andasked that the contacts provide a response for each product supported. The email message also explained that responses were voluntary and that the responses would be posted publicly, on this page.

Survey Questions

The survey asked the following questions:

  1. When will you support DNSSEC standards (RFCs 4033-4035)?

    Today:
    <Product name as you wish it to be published, version/release>

    1. Does this implementation support recursion (i.e., accept queries with RD=1)?
    2. Can the product perform DNSSEC validation?
    3. Can the product act as an authority server?
    4. Can it host a signed zone and return DNSSEC metadata when requested via the DO bit?

    Under development:
    <specify release/version and estimated availability>  

    No plans to implement:
    <state reason (optional)>

  2. When will you support NSEC3 (RFC 5155)?

    Today:
    <product name as you wish it to be published, version/release>

    Under development:
    <specify release/version and estimated availability (year/quarter)>

    No plans to implement:
    <state reason (optional)>

  3. When will you provide DNSSEC key management tools?

    Today:
    <product name as you wish it to be published, version/release>

    Under development:
    <specify release/version and estimated availability (year/quarter)>

    No plans to implement:
    <state reason (optional)>

  4. Have you performed Interoperability testing with your product deployed as an authoritative NS to a DNSSEC-aware recursive resolver?
    <Please list products tested>

  5. Have you performed Interoperability testing with your product deployed as a recursive resolver to DNSSEC-aware stub resolvers
    <Please list products tested>

  6. Have you performed Interoperability testing with your product deployed as a DNSSEC-aware stub resolver to a recursive resolver?
    <Please list products tested>

  7. What encryption algorithms do you support?
    <Specify key sizes supported>

  8. Do you provide DNSSEC-aware utilities with your product?
    <Please list utilities>

  9. Does your product support recursion (i.e., will it accept queries with RD=1)?

  10. If your product supports recursion,

    1. Can it perform DNSSEC validation?
    2. Can it act as an authority server?
    3. Can it host a signed zone and return DNSSEC metadata when requested via the DO bit?

Survey Results

Tables 1-3 are available in a downloadable file [PDF, 77 KB].

Disclaimer

The information provided on this page was voluntarily disclosed by commercial DNS server vendors and by developers of open source and free distribution DNS software. DNS implementations may evolve over time and thus, this survey may not reflect subsequent changes in feature availability that is not reported to the SSAC. We recommend that you contact vendors and developers for the most current status of their DNSSEC implementation. [Note: SSAC is aware that certain DNS operators and providers have proprietary implementations but has only anecdotal information regarding which operators deploy DNS in this manner. The committee encourages all operators who have proprietary implementations to contact us with answers to the survey questions. We will include all responses we receive.]

Only product information is published from the report. Personal or company contact information has not been shared or disclosed to any parties other than SSAC members and ICANN staff that assisted in the preparation of this report. SSAC publishes survey results as they are received; thus, this survey is at this time a living document. Subsequent to the initial survey, vendors may request that SSAC update DNSSEC implementation availability by answering the survey questions and submitting these to ssac-fellow@icann.org.

<date>