Feds at the forefront of DNS security
DNSsec provides a classic example of the government’s ability to lead by example
The Office of Management and Budget has emerged in recent years as one of the driving forces in information technology security because it holds many of the purse strings for civilian agencies. Agencies listen when OMB issues a mandate, and vendors pay attention when agencies scramble to implement new security measures.
One of government’s key security initiatives this year is implementation of the Domain Name System Security Extensions for Internet service. During the next nine months, this initiative is likely to result in the appearance of effective appliances to simplify and automate this complex task, which could go a long way toward making the infrastructure underlying the Internet a little more secure.
This could be a significant step, considering that DNSsec has languished for years because it is an onerous technology to manage. The discovery of a vulnerability in the DNS protocols last year provided the impetus for getting the security extensions into place. The new appliances will help make that task practical.
DNSsec is a protocol for digitally signing data on the Domain Name System to give greater reliability to the DNS queries and responses that underlie most online activities. Agencies are supposed to implement it in the dot-gov domain this year. The General Services Administration successfully signed the dot-gov top-level domain in February, and agencies have until the end of the year to implement it in their second-level domains, such as GSA.gov.
The problem with DNSsec is that, once implemented, it will require constant — or at least regular — attention to generate, manage and periodically replace cryptographic signing keys and also sign and re-sign the data. In contrast, DNS without the security extensions requires almost no maintenance and management, which means that many enterprises do not have the overhead or the expertise for managing DNSsec in their organizations.
But if there is one thing IT does well, it is automate the arduous. All it requires is the incentive. With that incentive now in place, appliances that promise to provide one-click DNSsec signing and maintenance are appearing on the market.
The National Institute of Standards and Technology has built a test bed, the Secure Naming Infrastructure Pilot, at dnsops.gov, to give agencies a place to hone their DNSsec skills and kick the tires on new products.
“We have a good number of these, and we’re open to everybody who wishes to participate,” said NIST computer scientist Scott Rose.
It is too early to expect perfection from these new products.
“We’re working with some of them,” said Robert Toense, an electronics engineer in NIST’s chief information officer’s office who helped to implement DNSsec on NIST.gov. “None of them have a complete solution yet that I’m aware of. But they are all trying very hard, realizing it is not a simple problem.”
But with a market ready for the tools, effective solutions probably will appear. That won’t ensure that agencies will make the Dec. 31 deadline for signing their zones, of course, and DNSsec cannot entirely ensure the security of the Internet. But this is a classic example of the government’s ability — by providing the will and market for new technology — to lead by example and affect IT security far beyond its own domain.