Deploying a new technology requires investment in software, hardware and human resources. In the case of DNSSEC the cost of these investments is not well defined and this uncertainty can hinder its deployment. The Agency - in collaboration with a DNS Expert Group that assembled and Deloitte - were engaged in studying the costs and resource impact of DNSSEC deployments. The study was performed between June and September 2009.
The main observations and conclusion of this study are summarized in this executive summary:
Early adopters lead the pack
This study showed that - through the open knowledge sharing within the DNS community – organizations considering implementing DNSSEC can greatly benefit from the work performed by the pioneers and early adopters. This knowledge sharing is mainly focused around sharing information and experiences. However, some DNS organizations chose to release some of their tooling and software to the general public by releasing it as open source software.
Organisation Types
Through analysis of the collected data, we noted that the cost of implementing DNSSEC is the lowest for pure registrars. Registries and (reverse) zone operators seem to have comparable costs with regards to their implementation projects.
In our analysis we identified two types of organizations implementing DNSSEC:
- Big spenders;
- Big savers;
Although their main business drivers for implementing DNSSEC are similar, big spenders and big savers are distinguished by their cost drivers and the maturity of their organizations with regards to IT processes.
Cost drivers
Based on the information obtained through the stocktaking we concluded that two important parameters exist in determining the cost drivers of a DNSSEC implementation project:
- Infrastructure cost: Big savers tend to reuse the overcapacity in their existing infrastructure for their DNSSEC implementation. Big spenders tend to use the DNSSEC implementation as an opportunity to upgrade their name server infrastructure.
- Strategic positioning: Big spenders want to be in the front line of the DNSSEC wave and choose to improve existing open source software through in-house development. Furthermore, big spenders also put more emphasis on the governance aspects of the DNSSEC implementation. At the other end of the spectrum are the big savers that mainly leverage on existing open source software and that limit customization and development efforts. Their strategy seems to be to implement DNSSEC in a lean way to ensure that their technology fits its purpose without considering the increased responsibility of being a Trust Anchor. The big spenders invest a significant amount of money in managing their increased responsibility. For example, the involvement of legal experts into the DNSSEC implementation project to ensure the responsibilities and possible legal implications of domain name signing.
Download Study