Products & services

BannerSecure DNS - DNSSEC

BT Onsite Contact Cisco

The benefits

Secure your DNS and protect your DNS caches

Domain Name System Security (DNSSEC) technology enables digital signing of published DNS information in authoritative DNS servers so those querying your www addresses can be assured of accuracy. BT Diamond IP solutions streamline configuration and automate both the recursive and authoritative sides of the DNS process.

  • Set and forget DNSSEC implementation: BT Diamond IP solutions remove the complexity of authoritative DNSSEC deployment. Simply define your DNSSEC key and signature policies and the Sapphire Sx20 appliance does the rest! The Sx20 automatically signs deployed DNS zones, refreshes signatures, and rolls keys based on your policies.
  • Keep your DNSSEC policies secure: Security teams prefer to define security policies themselves while keeping such policies secure on a “need to know” basis. BT Diamond IP solutions let DNS administrators manage DNS, while enabling the security team to manage DNSSEC policies. DNS administrators are not generally asymmetric key cryptographers so such “division of labour” reduces errors, saves time, and improves overall security.
  • Fully define DNSSEC validation: On the querying side of the DNS process, your recursive servers issue queries out to the Internet on behalf of your internal users, and cache this information to supply to other users asking for the same information. DNSSEC validation eliminates DNS cache poisoning style attacks such as that discovered by Dan Kaminsky. BT Diamond IP solutions enable you to specify trusted or managed keys and validation policies
  • Configure DNSSEC validation across vendors: BT Diamond IP solutions enable you to define DNSSEC validation trust anchors and policies not only for BT Diamond IP Sapphire appliances but also for stock Internet Systems Consortium (ISC) BIND DNS servers you may already have deployed. Retain this investment but secure their query function with BT Diamond IP.
  • Don’t stop securing at DNSSEC: DNSSEC is the definitive solution for DNS cache poisoning. But there are several other vectors available to would-be attackers. Round out your DNS security policy building on DNSSEC by considering configuration of DNS hidden masters, server ACLs, transaction keys, views, and similar BIND DNS directives, in addition to deploying purpose-built secure Sapphire DNS appliances to minimise operating system and denial of service vulnerabilities.

What it costs

Diverse platforms with flexible solutions pricing

BT Diamond IP management solutions are available as software installable on your hardware, as purpose-built pre-installed Sapphire hardware or virtual appliances, or as managed services.

With this diverse set of platforms and the option to mix-and-match, we offer the most flexible solutions for managing your IP address space and DNSSEC deployments.  Contact your BT account manager to review your options and to get a quote.

More reasons to buy

Manage DNS security and address space

Using BT Diamond IP solutions, you can automate DNS security both on your authoritative and caching servers to effectively secure your DNS information while securing the caches of your recursive DNS severs. BT Diamond IP solutions also enable you to manage DNS in the context of your name and address space. You can track and manage IPv4 and IPv6 addresses, DNS domains and corresponding DNS zones and resource records.  You can deploy our simple, secure Sapphire appliances to add an extra level of security by using these purpose-built appliances. You can configure and manage IPAM information on distributed appliances, but also monitor the state of deployed appliances, reconfigure remotely, and upgrade appliances from the centralized management console, all with our Sapphire appliances.

Our managed IPAM services also leverage Sapphire appliance deployments if you decide to have us monitor, upgrade and proactively administer your DHCP/DNS/IPAM (DDI) services. We offer maximum flexibility in helping you more effectively manage your IPv4 and IPv6 address space holistically.

Technical specs

Secure DNS while holistically managing IPAM

BT Diamond IP’s Sapphire Sx20 appliance enables you to blend the best of both worlds - defining your DNS security policies independently while enacting these security policies upon DNS information deployed from the holistic IP address plan. Our IPAM solutions enable you to manage your IPv4 and IPv6 address plan and resultant DHCP and DNS configurations cohesively in a single display. This helps you manage all address allocation policies locally, allocate IP subnets, assign individual addresses, configure DHCP pools, deploy DNS zones and resource records, and automate signing of DNS zones. We offer you the maximum flexibility from our diverse feature set:

  • Dedicated security policy interface: There’s no need to train IPAM and DNS administrators about asymmetric cryptographic techniques, keys and signatures. BT Diamond IP’s Sapphire Sx20 enables one-step definition of security policies using a secure special interface.
  • Set and forget: You can define your policies using the Sapphire Sx20 appliance and it will implement them on-going. As DNS information is deployed to the Sapphire Sx20 appliance, it automatically signs it and automates signature updates and key rollovers.
  • Protect your DNS: BT Diamond IP solutions allow you to configure DNSSEC trusted and managed keys along with other BIND supported DNSSEC validation parameters and options to protect your DNS server cache. Our support of additional security options and parameters round out a more robust DNS security solution than the competition.
  • Don’t short your investment: Unlike competitive appliance solutions, BT Diamond IP does not require a hardware refresh after three years or at any time for that manner. We do offer substantial discounts for refresh on your schedule if and when you choose to do so.


In select regions

We have deployments across the globe but please contact your BT account manager for more information and for product and services deployment and support options.

Service level agreement

Support and Managed DHCP Services

We publish BT Diamond IP SLAs for product support for our software and appliance products. Appliance support includes next business day shipping for failed units. And we do not force you to upgrade your appliances every three years unlike other appliance vendors.

Our managed services additionally offer a set of SLAs for Sapphire appliance status or outage detection and resolution as well as for IPAM moves, adds, and changes. Please contact your BT account manager for more details.