The hard part of DNS security lies beyond the next deadline

 

Connecting state and local government leaders

With six months to go before agencies are supposed to digitally sign address records in their Internet domains, DNSSEC remains a work in progress.

DNS Security clock

With six months remaining until the deadline for agencies to digitally sign their Domain Name System address records, deployment of DNS Security Extensions remains a work in progress.

“We’ve been working in this space for six or seven years,” developing standards and guidelines for DNSSEC implementation, said Doug Montgomery, manager of the National Institute of Standards and Technology’s Internet and Scalable Systems Metrology Group. “The technology is out there to get it done.”

However, implementing DNSSEC on a large scale remains a challenge — the job doesn’t end with the end-of-the-year deadline, even if agencies do meet it.

“The one complicated part that nobody has a solution for now is key management,” said Branko Miskov, director of product management at BlueCat Networks, a company that does IP address management. “That is the big stumbling block.”

Contributions to the progress of DNSSEC deployment include the signing of the dot-gov generic top-level domain in February, signing of the dot-org zone in June, and efforts by NIST and the National Telecommunications and Information Administration, the Internet Corporation for Assigned Names and Numbers and VeriSign to come up with a practical scheme for deploying DNSSEC in the Internet’s authoritative root zone. NIST also has set up a test bed, the Secure Naming Infrastructure Pilot, to help vendors and agencies test and evaluate products that can help automate DNSSEC deployment and management.

Activity at the top tier of the Internet’s DNS is only part of the first step in deploying DNSSEC. It also must be deployed in the zones for lower tiers, and DNS servers must then use the signatures to validate queries and requests.

DNS translates easy-to-understand names, such as GSA.gov, into the numerical strings that constitute IP addresses. It underlies most activity on the Internet, but it was not designed to provide security. As a result, this basic service is vulnerable to spoofing and manipulation, which could allow hackers to redirect traffic to fraudulent sites.

“The downside is staggering,” said Bruce Van Nice, director of corporate marketing at Nominum. “If DNS is compromised, the Internet is compromised.”

DNSSEC has been developed to address this problem by digitally signing and authenticating DNS queries and responses. The protocols have been in the works for about 15 years, but implementation has been minimal because DNS has worked so well, and nobody wants to fix what has not appeared to be broken.

“The tendency of most network managers is not to mess with it,” Van Nice said.

In late 2006, federal information security requirements called for agencies to use DNSSEC signatures on DNS servers classified as moderate- or high-impact information systems. But because most DNS servers are classified as low-impact systems, there was little implementation in the dot-gov domain. Following disclosure last year of a serious vulnerability in the DNS protocols, the Office of Management and Budget mandated that the dot-gov top-level domain be signed in January and that agencies sign their secondary domains by the end of the year.

The General Services Administration digitally signed the dot-gov top-level domain, effectively implementing DNSSEC throughout the top tier of the federal Internet space, Feb. 28, a month after the original deadline, because GSA officials found during testing that an additional feature was needed in the DNSSEC software. The next step is for agencies to begin deploying DNSSEC within their second-level domains, such as GSA.gov, by the end of the year.

“Most agencies are moving pretty fast on this,” Miskov said. But as to making the year-end deadline for signing their domains, “I think it’s going to be tough” because of the complexity of many of the environments.

Long, winding road

Globally, deployment of DNSSEC is beginning to pick up steam but full implementation remains years away. According to a survey earlier this year of network operators by the European Network and Information Security Agency, 78 percent of operators either have deployed or have plans to deploy DNSSEC services within the next three years. But the survey concluded that DNSSEC still is at the beginning of deployment and that there is a lack of tools and policies.

The difficulty is not in signing the address data within the domains but with managing keys.

“The basic act of signing the authoritative zone is easy,” Montgomery said. “Most people could do it in an afternoon, if they wanted to.”

“That’s the easiest part to tackle,” Miskov agreed. Tools such as the latest version of BlueCat’s Proteus IP address management product automate the process. “All I have to do is generate a couple of keys, mark that zone for publishing, and push.”

But that is only half of the task. Once a zone is signed, servers requesting addresses have to be DNSSEC aware and must have access to a key to verify the digital signatures for the process to work. Implementing and managing key policies — the strength of the keys to be used, the length of time they remain valid, and production of new keys on schedule — can be a complex job. Obtaining keys from a trusted source also can be complex.

Down to the roots

Plans for deploying DNSSEC at the authoritative root zone will help to simplify this challenge by reducing the number of trusted keys needed to verify requests and answers.

“It’s the starting point for DNS on the Internet,” Miskov said. With the Internet’s root zone signed, servers will be able to implicitly trust information underneath in the DNS hierarchy without needing to establish individual trust relationships with each of the top-level domains. Instead of managing 20 keys and replacing them when they expire, one trusted key will suffice.

NIST and NTIA are working with ICANN and VeriSign to achieve that by year’s end. NTIA and the Homeland Security Department are collaborating to evaluate architectural alternatives for signing the root, with the help of industry. Although the effort was formally announced in June, the work has been going on since at least last year, and the deadline is not new, Montgomery said.

“That milepost was out there for a while,” he said.

But the global reach of the Internet is complicating the process. Although the United States originally developed the Internet and Congress and the Commerce Department retain indirect oversight of its management, there is no real single point of control for the infrastructure, and many countries remain suspicious of U.S. intentions, a Commerce official said.

Diplomacy is playing as large a part as technology in DNSSEC deployment in the authoritative root zone, the official said, and the process is moving forward at a glacial pace.

Going automatic

On the technical side, the U.S. government is encouraging the development and testing of interoperable tools to automate the complex parts of deployment. The Secure Naming Infrastructure Pilot (SNIP) is a test bed infrastructure set up by NIST and DHS to let vendors demonstrate tools for implementing DNSSEC.

“People are coming out with clever products to allow you to get this done,” Montgomery said. “There are some quite strong products.”

It also gives network administrators experience with managing a signed DNS zone on a live network. SNIP provides an ongoing, persistent test bed and training infrastructure as opposed to a one-shot workshop or demonstration.

SNIP provides a test domain on which participants can mirror their current DNS operations and learn what effect DNSSEC will have on those operations and on the performance of DNS servers themselves. For a test bed, NIST maintains a SNIP domain, www.dnsops.gov, to provide signed DNS zones for government users.

Contractors that want to participate but that do not qualify for the dot-gov domain can use a separate SNIP domain maintained at www.dnsops.biz. The domains are hosted on the same servers, which have standard IPv4 connectivity and an IPv6-enabled connection to the Internet2 research and education network, so that signed zones can be reached through either version of the Internet protocols.

Implementing DNSSEC in the dot-gov domain is an important step toward securing DNS but not adequate in itself.

“It is a non-trivial exercise to deploy it,” Van Nice said. “As we go forward with the dot-gov deployment, there is a lot to be learned. But that’s only a small part of the Internet.”

The dot-gov top-level domain has about 3,700 domains registered in it. In June, the Public Interest Registry, which manages the dot-org top-level domain, signed the dot-org zone, which is the third largest of the open top-level domains, behind dot-com and dot-net, and contains more than 7.5 million domains registered in it. During a beta test phase that is expected to last into next year, DNSSEC will be analyzed in a test bed with domains registered specifically for testing.

The dot-com domain is not expected to sign its zone until 2011, and widespread use of the security extensions among second-tier domains still is three to five years away, observers say.

“We can’t naively assume that everything is OK while the deployment is going on,” Van Nice said. “Until then, we are going to have to use other protection” to ensure the security of DNS.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.