ANOTHER VIEW—Warren Suss
The steps beyond DNSSEC implementation
By December of this year, if everything goes according to plan, all federal second-level domains beneath dot-gov will have implemented Domain Name System Security Extensions (DNSSEC), following the recommendations of the National Institute of Standards and Technology. Federal network communications will be better protected against serious DNS security flaws because every request and response for resolving a DNS address will be digitally signed.
Because it is so important to protect against DNS-based attacks, however, federal information technology managers should address DNS challenges that go beyond basic compliance with the current initiative, outlined in the Office of Management and Budget’s Aug. 22, 2008, memo under the subject of “Securing the Federal Government’s Domain Name System Infrastructure.”
Here’s where we need to go.
1. Improve the efficiency of DNSSEC management. After implementing DNSSEC, agencies will need to manage their cryptographic keys, but the marketplace is still playing catch-up in developing comprehensive tools to automate the process. In the near term, agencies will need to do their best to optimize the inherently inefficient process of generating, managing and updating their keys and signing the associated data.
2. Lead the marketplace. The federal community will become the first customer for the next generation of more efficient DNSSEC services, tools and systems. The federal IT community, with help from NIST, needs to stay on top of a fast-changing cybersecurity marketplace. More DNSSEC products and services mean more and better choices for IT managers. So let the vendor community know you’re shopping, which will stimulate their investment in next-generation solutions.
3. Closely monitor the impact on network performance. Managing DNSSEC is a tricky business and can result in unintended performance problems for agencies’ production networks. In addition to using NIST’s Secure Naming Infrastructure Pilot (www.dnsops.gov) as a test bed, be sure you have the right tools in place to monitor your network performance from a user perspective as you implement your plans to address the DNSSEC mandate. That is particularly important during periods of peak network demand, such as tax time for the Internal Revenue Service.
4. Keep up your guard. The DNSSEC recommendations mandated by OMB represent an incomplete security solution. Federal network communications will still be vulnerable to cache poisoning until DNSSEC is implemented at the root level and throughout the DNS hierarchy — a complicated process that is still under evaluation by the National Telecommunications and Information Administration. There’s no quick fix to the challenge because the solution will require strong national policies and international support. For the foreseeable future, federal IT professionals need to select the in-house, outsourced or vendor-provided DNS system that offers the best protection against cache poisoning and distributed denial-of-service attacks.
5. Pay attention to single points of failure during DNS data propagation. Just as you must guard against single points of failure in your enterprise architecture, you should pay attention to the design of your network’s DNS implementation to make sure that you won’t be out of business if a single DNS server goes down.
6. Encourage your information exchange partners to adopt DNSSEC. By December, we’ll be safer communicating with other federal agencies, but we’ll still be vulnerable when interacting with corporations, universities, international organizations and citizens. Keep up the pressure on your information exchange partners and policy organizations to secure universal adoption of DNSSEC protections.
In the past year, federal IT managers have enumerated their second-level dot-gov domains, identified the internal and external sources of their DNS services, and cataloged their DNS server infrastructures. Those efforts helped them identify and address barriers to DNSSEC implementation, participate in the government’s Secure Naming Infrastructure Pilot, train their employees on DNSSEC, and document their plans of action and milestones for DNSSEC implementation.
Now it’s time to build on that knowledge and go beyond OMB’s requirements by optimizing the efficiency of your DNSSEC processes, protecting against cache poisoning and distributed denial-of-service attacks, minimizing your vulnerability to single points of failure in DNS data propagation, and encouraging widespread DNSSEC adoption by your information exchange partners.