IPControl™ Sapphire Sx20 DNSSEC Appliance

DNSSEC Automation and Management

DNS Security Extensions (DNSSEC) enables DNS zone administrators to digitally sign zone file information so users resolving this DNS information can be assured of its authenticity. DNSSEC utilizes asymmetric cryptography, also known as public key cryptography, which provides for digital signatures to secure DNS resolutions. Digital signatures provide a means for the recipient of a given set of data to verify the integrity of that data and to authenticate the origin of the data; i.e., to confirm that it was actually sent by the claimed data sender. In the context of DNS, this assures the resolver that the zone publisher indeed published the resolved data was not modified as received from the server.

Deployment and ongoing management of DNSSEC offers enhanced security against cache poisoning type attacks, though the administrative effort required is not trivial. The management of multiple keys per signed zone, key rollover, signature expirations, and configuration of servers to utilize DNSSEC can be intimidating. The Sapphire Sx20 DNSSEC appliance from BT Diamond IP can help simplify these tasks through menu-driven parameter entry of policies to automate many of these functions.

DNSSEC Automation

The Sapphire Sx20 supports a dedicated DNSSEC administrator login to configure DNSSEC key and signature policies, including key types, algorithms, lengths, and rollover as well as key generation and lifetime management as well as signature expiration times. The Sapphire Sx20 also automatically links parent zone Delegation Signer (DS) records to simplify key rollover for managed zones. The Sapphire Sx20 also supports the PKCS#11 crypto API to enable secure storage of private keys on an optional hardware security module (HSM) appliance such as the Keyper appliance from AEP Networks.

Simple Deployment

The Sapphire Sx20 DNSSEC appliance is typically deployed as a hidden master for your signed zones. Sapphire x5, x10 or x20 appliances or even stock BIND servers running on your hardware can be used as secondaries or slaves of the Sx20 to provide signed resolutions to queriers seeking to resolve your DNS zone information. The IPControl system enables you to manage all signed and unsigned zones and deploy configurations to respective Sapphire or BIND DNS servers.

Complete DNS Security Solution

Deploying IPControl’s Sapphire Sx20 appliances within your environment will simplify DNSSEC management through automation and integration with your overall DNS domain plan, typically consisting of signed and unsigned zones. Deployment with the innovative IPControl system enables you to manage signed zone policies with the Sx20, and configure your caching recursive servers for DNSSEC validation as well. You can also manage all BIND options to configure all “allow” options (e.g., allow-query, allow-query-cache, etc.), address match lists (ACLs), TSIG keys and more for added security. The Sapphire Sx20 and all Sapphire appliances also support port level ACLs as well as DNS anycast. 

Each Sapphire Sx20 appliance is purpose-built with a hardened Linux kernel to help secure your network from risk of intrusion on a 2U platform offering  data center-quality security, performance, redundancy and management. The Sapphire Sx20 supports an IPMI interface, providing a lights-out management interface for remote power control and monitoring of key hardware metrics including voltage, temperature and more.  In addition, all models can be deployed with TwinMirror™ automated failover to ensure business continuity.

Key Feature Summary

Sapphire Sx20 DNSSEC appliances offer centralized configuration and management with full support of the extensive IPControl feature set, including:

• “Set and forget” automated DNSSEC key management and zone signing policies
• Hardened proprietary Linux operating system (OS) and kernel and secure application configuration to minimize security vulnerabilities
• Manage DNSSEC with the context of overall domain and IP address plans
• Simple and secure deployment process
• Sx20 platform features redundant CPUs, hard drives (RAID-5), power supplies as well as IPMI standard
• Controlled OS and DNS software updates via the EasyUpdate service to streamline upgrades and patches