"DNSSEC-enabled traffic is slightly different than the DNS traffic we've had in the past. The packets are larger…Based on anecdotal information, there are some pieces of equipment that have issues with this," Larson says, pointing out that some network gear has default configurations limiting DNS packets to 512 bytes whereas DNSSEC packets can be as large as 4KB.
To help the Internet industry prepare for DNSSEC, VeriSign has opened an interoperability lab in Dulles, Va., where network hardware and software vendors can test their products to make sure they support DNSSEC. Cisco and Juniper Networks are among the vendors that have been testing their products in the VeriSign lab.
"We're not certifying equipment, and we're not doing performance testing," Larson says. "Our interoperability lab is a free service for anybody who wants to see how their gear is going to fare in the DNSSEC environment. We will run our battery of tests, and it's up to them to decide what to do."
VeriSign says it opened the interoperability lab because it is trying to promote DNSSEC.
"We are investing in signing the root zone and signing .com and .net, but doing that alone won't be enough for DNSSEC deployment," Larson says. "The idea [of the interoperability lab] is to highlight the issue so everybody on the Internet is aware that DNSSEC is coming."
Momentum has been building for DNSSEC since the Kaminsky bug was discovered.
Other top-level domains that are in the process of deploying DNSSEC or have already done so include the U.S. federal government's .gov domain, the Public Interest Registry's .org domain for non-profits and country code top-level domains operated by Sweden, Puerto Rico, Bulgaria and Brazil.
In other DNSSEC news, Comcast is the first U.S. carrier to announce a public trial of its DNSSEC signing and resolution services
Read more about wide area network in Network World's Wide Area Network section.