Internet Technologies > Where Do I Start?

Where Do I Start?

Confused about where to start with IPv6, DNSSEC, securing BGP, anti-spoofing, or using TLS? No matter if your organization is a network operator, a domain name registrar, an IXP, or you are a government representative, a developer, a website owner, or responsible for an enterprise or campus network within a company or other organization—we got you covered.

Why Is the Adoption of These Standards Important?

As predicted years ago, the pool of IPv4 addresses was depleted at the Internet Assigned Numbers Authority (IANA) in early 2011. For the Internet to continue growing and to satisfy the requirements of additional users, devices, and content, Internet Service Providers and network operators must deploy IPv6.

Additionally, as the security of the Domain Name System (DNS) is critical, network operators and ISPs need to understand how they can deploy DNS Security Extensions (DNSSEC).

As Internet service providers and content companies continue to move forward with their IPv6 deployments, it is important for enterprises to enable access to IPv6 resources from their user networks. Even more immediately important is to dual-stack the hosting of your enterprise web and mail services. As the IPv6 user population grows, you want to make sure interaction with your web site and email remains seamless.

Additionally, enterprises need to understand how they can use DNS Security Extensions (DNSSEC) to secure the communication between the enterprise and its customers and also its vendors. DNSSEC provides a means that you can ensure that customers and partners are talking to your website and not that of an attacker masquerading as your site.

Internet service providers and content companies are moving rapidly to deploy IPv6. It is important to ensure your software and applications are updated to support IPv6. As the depleted IPv4 resource and heavily NATed IPv4 network starts to experience degraded performance, software and application users will expect their tools and services to work on the IPv6 Internet.

Additionally, the security of the Domain Name System (DNS) is critical. The DNS Security Extensions (DNSSEC) provide a way to increase the security of DNS. Developers need to understand how they can use DNSSEC within their applications and what new capabilities it offers.

Adoption of new standards by consumer electronics manufacturers is critical to the wider deployment of standards across the Internet. In many cases Internet service providers, content companies and consumers may not move forward with their own new deployments until the devices used on their networks support the new standards. Adoption of these standards is very likely going to influence the purchasing decisions of large consumers of consumer electronics in the coming year.

Additionally, as the security of the Domain Name System (DNS) is critical, vendors need to understand how they can use DNS Security Extensions (DNSSEC) to secure the connections from their equipment and thwart attackers.

Are you a registrar of domain names? Or a reseller of domain names? If so, the 2013 ICANN Registrar Accreditation Agreement (RAA) has some specific operational requirements related to DNSSEC and IPv6. These requirements are documented in “Additional Registrar Operation Specification” on page 67 of the final 2013 RAA.

If you are an ICANN-accredited registrar and have not yet signed the 2013 RAA, do note that signing will be a requirement if you want to sell the new generic top-level domains (newgTLDs).

Are you a government regulatory organization interested in understanding the relevance of Internet technologies such as IPv6 and DNSSEC?

As predicted years ago, the pool of IPv4 addresses was depleted at the Internet Assigned Numbers Authority (IANA) in early 2011. For the Internet to continue growing and to satisfy the requirements of additional users, devices, and content, the Internet needs to transition to IPv6.

Additionally, as the security of the Domain Name System (DNS) is critical, network operators need to understand how they can deploy DNS Security Extensions (DNSSEC). Governments need to understand why these technologies are important and what they can do to foster their continued adoption.

Do you have a website? A blog? Do you create videos? Podcasts? Do you write articles for websites? Do you participate in social networks? Do you operate a social network?

With IPv4 addresses rapidly being exhausted, you can no longer publish content only on the IPv4 Internet and expect everyone to be able to access it. As IPv4 depletes, users are being connected to the Internet using IPv6 address space. You must ensure all content is available via both IPv4 and IPv6 for the foreseeable future in order for it to be visible to all users.

Additionally, DNS Security Extensions (DNSSEC) provide a way to ensure that users and customers are correctly connecting to your sites and services instead of to someone else pretending to offer your same services. Understanding how to secure your domain is critical!

Basic Steps: IPv6

1. Understand the basics of IPv6

To get started, you may want to view our “IPv6 Basics” page. Additionally, you may find these ebooks and resources helpful:

2. Obtain IPv6 addresses and determine an address plan:

3. Determine if your existing network equipment will support IPv6 or purchase appropriate equipment:

4. Understand different transition technologies that can help your network:

5. Understand IPv6 security concerns:

6. Build the case for management about your transition to IPv6:

7. Keep up-to-date on the latest IPv6 news and activities:

  • IPv6-related blog posts
  • Join IPv6 communities: there are many places on the Internet where members of the “IPv6 community” gather to discuss IPv6 deployment, ask and answer questions and share new tools/services/questions. With new discussion areas appearing on new social services all the time, here are the public places we are currently aware of:
    • Email Discussion Lists:
      • ipv6-ops – a list for people involved in the deployment of IPv6
      • RIPE NCC IPv6 working group – a list for discussion of IPv6 policy and operational issues within the RIPE NCC community.
      • ipv6-hackers – lists for discussion of IPv6 security issues (one list in English and one in Spanish)
    • IETF Working Groups: within the Internet Engineering Task Force (IETF), IPv6-related issues and standards are developed and discussed in many different working groups. Some of the primary groups include:
      • v6ops – IPv6 Operations
      • 6man – IPv6 Maintenance
      • 6lowpan – IPv6 over low power networks
      • opsec – Operational Security Capabilities for IP Network Infrastructure
    • LinkedIn Groups: LinkedIn currently has over 100 different Groups related to IPv6, many connected with different regions and subject areas. Two of the more active Groups are:
    • Facebook: Similar to LinkedIn, Facebook contains a large number of IPv6-related Groups and IPv6-related Pages.
    • Twitter: the #IPv6 hashtag is commonly used for DNSSEC-related tweets.
    • Reddit: find the IPv6 “subreddit”
  • Understand the potential impact of “Happy Eyeballs” on how people may connect to your service / application: RFC 6555 – Happy Eyeballs

The 2013 RAA requires that registrars be able to accept IPv6 addresses for DNS records. For instance, a registrant may want to enter a “AAAA” record for the IPv6 address of his/her website. The RAA states:

To the extent that Registrar offers registrants the ability to register nameserver addresses, Registrar must allow both IPv4 addresses and IPv6 addresses to be specified.

This may require changes to your web interface to allow the longer IPv6 addresses to be entered.  If you specify which DNS records your users are able to enter, you may need to add “AAAA” as a possible choice.  Other existing records such as NS records will need to also be able to accommodate IPv6 addresses.

Now, allowing IPv6 addresses to be added into DNS zone files will not be all that your users will ask of you. You will also need to publish that information over IPv6 from your authoritative name servers.  This will mean that you will need to have IPv6 connectivity to your name servers.

Visit our resource on DNS Considerations for IPv6 for more detail on this process. For more general information about IPv6 see our list of IPv6 resources.

To check if your content is available over IPv6 – or to make it accessible over IPv6 – follow these steps:

1. Understand the overall process of making your content available over IPv6
View these resources as a start:

2. Find Out If Your Hosting Providers Support IPv6
If your website (or sites) is hosted with a provider, find out if your provider supports IPv6. We have pointers to lists of hosting providers who support IPv6, but your best bet is to start with the contacts you have at your providers. Ask if they will be making your content available over both IPv4 and IPv6. Ideally you are looking for a “dual-stack” server that supports both protocols.

If your hosting provider is NOT planning to support IPv6 any time soon, consider moving to a hosting provider that does support IPv6, or a Virtual Private Server(VPS) provider that supports IPv6.

Don’t forget about other services you may use, too, such as social networks. Contact them to ask if they will be supporting IPv6. The good news is that both Facebook, Google+ and YouTube were all participants in World IPv6 Launch and started making their sites available over IPv6 as of June 6, 2012.

3. Determine If Your Own Servers Have IPv6 Connectivity
If you host your own website(s), find out whether your Internet Service Provider (ISP) can provide you with IPv6 connectivity. If not, consider what might be involved with switching to an ISP that supports IPv6 – or perhaps bringing in a separate connection. A great place to start is with the list of network operators participating in World IPv6 Launch as they have all committed to providing IPv6 connectivity.

4. Consider Using A Content Delivery Network (CDN) – or Contact Your Existing CDN
A “content delivery network” (CDN) (also called a “content distribution network”) is a service that takes your existing content and makes it available through a global network of distribution servers. The primary reason companies use CDNs is to speed up access to website content because a CDN’s servers can be closer to end users and therefore deliver the content to those users faster. A CDN can also help absorb a greater load of traffic than an individual server.

The cool thing about a CDN is that once your content is in its network, that content can be easily made available over both IPv4 and IPv6 – even if YOUR web servers are IPv4-only!  A CDN can be a very quick way to make your content IPv6-enabled, even if your own infrastructure cannot make the move quickly.

Some of the largest CDNs such as a Akamai and Limelight as well as newer entrants like CloudFlare are all participating in World IPv6 Launch. We’ve started a list of content delivery networks (CDNs) supporting IPv6 and would encourage you to investigate this option. If you are already using a CDN, contact them and find out how soon they will be able to make your content available over IPv6.

5. Update DNS To Point To The IPv6 Address(es) For Your Site
Finally, once you have determined that your website has IPv6 connectivity, you’ll need to update DNS so that it is publishing the IPv6 address(es) for your site(s).

NOTE: If you are using a CDN, you will usually NOT have to do this because the CDN takes care of handling all of your DNS entries for you.

What you need to do is to update DNS with “AAAA” record(s) pointing to your IPv6 address(es). For example, if your web server is at the address “www.example.com” and has the IPv6 address “2001:db8:1234:3f4c:51::234“, you need to create an AAAA record with this information. (Tip: If you are speaking with your IT team or provider about these DNS records, they will sometimes call them “quad-A” records.)

For more information on DNS for IPv6 visit our resource on DNS Considerations for IPv6.

5. Celebrate!
Congrats! You’ve done it – your content is now available to all of those people who are connecting to the Internet using IPv6.

Basic Steps: DNSSEC

1. Understand the basics of DNSSEC

If you would like to understand more of the basics of DNSSEC, we suggest starting with this video (and this video interview) and also visiting DNSSEC basics page.

2. Learn how to deploy DNSSEC-validating DNS resolvers

To assist in the development of DNSSEC in your products, it would be good to deploy “DNSSEC-validating DNS resolvers” that allow users on your network to be able to have their DNS queries validated with DNSSEC.  This whitepaper is a great place to start:

3. Determine what tools may be out there to help automate your usage of DNSSEC.

4. Sign your own domains:

5. Build the case for management about your deployment of DNSSEC:

6. Keep up-to-date on the latest DNSSEC news and activities:

  • DNSSEC-related blog posts
  • Join DNSSEC communities: there are many places on the Internet where members of the “DNSSEC community” gather to discuss DNSSEC, ask and answer questions and share new tools/services/questions. With new discussion areas appearing on new social services all the time, here are the public places we are currently aware of:

The DNS Security Extensions (DNSSEC) provide a method to ensure that an attacker cannot intercept a DNS query and provide back to a user false data that might, for instance, redirect a user to a different website.  You can learn the basics by viewing a 4-minute animated video.

Domain name registrars play a critical role in DNSSEC by accepting DNSSEC records (either a “DS” or “DNSKEY” record) from a registrant and relaying those securely to the registry for the top-level domain.  As noted in the 2013 RAA:

Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC. Such requests shall be accepted and processed in a secure manner and according to industry best practices. Registrars shall accept any public key algorithm and digest type that is supported by the TLD of interest and appears in the registries posted at: and . All such requests shall be transmitted to registries using the EPP extensions specified in RFC 5910 or its successors.

Registrars will need to provide some mechanism such as a web interface that allows a registrant to enter this data.  This could merely be an extension of your existing user interface or a new page or tab for the DNSSEC information.  As noted, you will also need to be able to transmit the DNSSEC information to a TLD registry using EPP.

As examples, we have several tutorials about DNSSEC support at a few registrars. ICANN also maintains a list of registrars supporting DNSSEC where you can get a sense of what other registrars are doing and perhaps explore their sites for more information.

  • Determine if your top-level domain (TLD) supports DNSSEC: If your domain ends in one of the common domains such as .COM, .NET, .ORG, .EDU, etc., those zones as well as many country code TLDs (ccTLDs) have all been signed with DNSSEC. To check if your TLD has been signed, you can visit ICANN’s list of signed TLDs.  If your TLD has not been signed, you can still sign your own domain but you cannot link it in to the global “chain of trust” that gives DNSSEC its power.
  • Consider adding a widget to your site to help promote DNSSEC

Learn about peering over IPv6: IPv6 Peering and Transit