Xerocole Makes DNSSEC Safer and Cheaper for Carriers to Deploy

Programmable AnswerX System Prevents Unexpected Service Interruptions; Automates Manually Intensive Planning, Rollout and Troubleshooting Processes

BOULDER, Colo.--(BUSINESS WIRE)-- Xerocole, the intelligent broadband DNS company, today announced that Xerocole AnswerX, the DNS recursive resolver within the Xerocole DNS WorX platform, enables broadband network operators to support DNSSEC and DNS simultaneously. This unified capability, which is fully programmable, allows carriers to gradually deploy DNSSEC, troubleshoot and mitigate problems, and prevent remote configuration errors from causing service interruptions – all without requiring additional operations staff. Using AnswerX, carriers can segregate DNSSEC and non-DNSSEC customers, implement policy-based responses for failures and perform a measured rollout.

Click to Tweet: Xerocole makes #DNSSEC deployment safer and cheaper for #ISPs http://bit.ly/UEtNsC

In March of this year the FCC issued a report that recommends ISPs implement their DNS recursive nameservers so that they are at a minimum DNSSEC-aware, as soon as possible. However, the report cautions that:

“Like any significant new functionality, ISPs are well-advised to gradually enable DNSSEC validation in their networks. Simultaneously turning validation on for all users and on all servers would likely pose a significant operational risk. One challenge during the time when only some ISPs perform DNSSEC validation is that some domains may not properly sign their domain, may mismanage key rollovers, or may make other DNSSEC-related configuration errors. This will very likely render their domain unreachable via those ISPs that perform DNSSEC validation.”

AnswerX Prevents DNSSEC Outages

To enable controlled and successful DNSSEC implementations, while avoiding service interruptions caused by internal or external DNSSEC configuration problems, AnswerX provides network operators with the following capabilities:

1 Partitioning: Separates DNSSEC transactions from non-DNSSEC transactions and provides full separation of caches, responses, and processing. This allows a carrier to gradually rollout DNSSEC by providing support for business and consumer subscribers that request it, while maintaining DNS service for all other customers.

2 Soft Failure Support: Allows subscribers to access websites even when the destination site’s DNSSEC key is incorrect, missing, etc.

3 DNSSEC statistics. Tracks percentage of… DNS queries asking for DNSSEC validation, responses that validate successfully, responses that fail validation, soft-failures, responses that are from unsigned domains, etc. This data enables network operators to determine the right time to transition from soft failures to hard failures.

4 Monitoring: Provides visibility into DNSSEC behavior for domains operated by the service provider to identify and alert on pending or actual problems, such as key expiration, key rotation, etc. -- so they can be addressed to prevent service interruptions.

5 Programmable Policy: Enables network operators to create exception rules and emergency override lists for customers, networks, and domains that use DNSSEC. For example, a policy could be created that allows a website to be accessed for a given period of time (hours, days, etc.) when a DNSSEC validation failure occurs. This allows the domain operator to be notified and given time to fix the problem before validation failures are implemented. Xerocole policies are easily created using simple dynamic tables fed from centralized servers. As a result, there’s no need for monitoring failures and creating “Negative Trust Anchors”.

6 Maintain DNS Services: Allows a service provider to continue to operate non DNSSEC revenue generating services such as search guide

“While DNSSEC is great for Internet security, its implementation can be complex and risky for Internet service providers,” said Rob Fleischman, CTO of Xerocole.

“That’s because full DNSSEC support depends not only on a functional solution in a network operator’s own network, but also on correct behavior from the authoritative DNS servers. Last year, a problem with the DNSSEC configuration at NASA.gov denied access to customers that were using DNSSEC – even though the website was operational and accessible to visitors that were not using DNSSEC. As a result, a carrier can be blamed by their customers for DNSSEC outages that are no fault of their own,” he added.

“AnswerX is purpose built for managing DNS including DNSSEC. This allows carriers to not just turn DNSSEC “on or off”, but also to establish a flexible and dynamic policy about what customers and what domains get DNSSEC processing and what specifically happens when things go wrong,” he concluded.

Pricing and Availability

AnswerX for Xerocole DNS WorX is available immediately from Xerocole. It is priced on a subscription basis that includes 24 by 7 support on a per subscriber per year basis.

Resources

Xerocole DNSSEC Video: www.xerocole.com/dnssec_video

Xerocole AnswerX Whitepaper: http://xerocole.com/answerxwhitepaper

Xerocole AnswerX Free Trial: sales@xerocole.com

About Xerocole

Xerocole enables network operators to deliver intelligent broadband DNS services. The company’s products address the biggest challenges facing service providers today: migration to IPV6 and DNSSEC, and complying with the FCC’s new Anti-Botnet Code of Conduct. Xerocole unifies DNS management so carriers can seamlessly support IPV6 and DNSSEC, detect and remediate botnet-controlled devices, provide policy-driven non-existent (NX) domain responses for search monetization and deliver subscriber-aware services. The company saves service providers money while allowing them to deliver faster, personalized and more reliable internet access services. Xerocole technology is currently being used to support more than 30 million subscribers. Xerocole’s management team has been developing carrier scale infrastructure solutions for 15 years at Sandvine, Simplicita, Openwave Systems, and Software.com. For more information visit www.xerocole.com.

Marc Gendron PR
Marc Gendron, 781-237-0341
marc@mgpr.net

Source: Xerocole