DNS security steps ordered by OMB
Agencies must implement new DNS Security extension measures on .gov domains and related sites.
Government agencies must take new measures by January 2009 to
ensure the Domain Name System security extensions on top level .gov
Web site domains are signed, and that processes for securing
sub-domains are developed, according to a
memorandumreleased today by the White House Office of Management and Budget.
The top level .gov domain includes the registrar, registry and DNS
server operations.
In addition, agencies must develop a plan of action and
milestones for deploying DNS Security extensions to "all
applicable information systems"; and "capabilities must
be operational by December 2009," the memo said.
The DNS security extensions are a set of protocols designed to
protect the Internet from certain attacks by providing
authentication of the origin of DNS data, data integrity and other
elements.
The memo, from OMB Administrator for e-government and
information technology Karen Evans, directed agencies to submit
initial planning drafts to OMB by Sept. 5, 2008. Agencies will
eventually need to enumerate the second level .gov domains they
operate; identify sources of DNS services; describe DNS server
infrastructure; and identify and address barriers.
The new directive is partly in response to new concerns about
potential vulnerabilities in the Domain Name System and Web
applications more generally. A major vulnerability was
revealedlast month that could allow hackers to intercept Web page requests
and redirect them to malicious web sites.
"The Government's reliance on the Internet to
disseminate and provide access to information has increased
significantly over the years, as have the risks associated with
potential unauthorized use, compromise and loss of the .gov domain
space," Evans wrote in the memo. "Almost every instance
of network communication begins with a request to the Domain Name
System to resolve a human readable name for a network resource
(e.g., www.usa.gov) into the technical information (e.g., Internet
Protocol address) necessary to actually access the remote
resource," she said.
"Signing the top level .gov domain is a critical procedure
necessary for broad deployment of DNSSEC, increases the utility of
DNSSEC, and simplifies lower level deployment by agencies,"
she said.
Evans directed agencies to follow recommendations in NIST
Special Publication 800-81 'Secure Domain Name System (DNS)
Deployment Guide,' and address the particular requirements
described in NIST Special Publication 800-53r1 "Recommended
Security Controls for Federal Information Systems."