Walk, don't run, to DNSsec deployment
- By William Jackson
- Apr 03, 2009
Deploying the Domain Name System Security Extensions is a complicated process, but agencies must do it this year. The advice from those who have experience with the process is to walk before you run.
“Do it in baby steps,” said Robert Toense, an electronics engineer at the National Institute of Standards and Technology’s Office of the Chief Information Officer. “Be careful and think about it. Don’t rush into it.”
First, “do a quick exam of how DNS is being used” on your network, said Scott Rose, a computer scientist at NIST. “This is an opportunity to look at how you’re doing things and improve it.”
NIST enhanced its situation by reducing the number of partitioned zones on its network — each of which requires its own signing keys — from about 200 to about 15, simplifying DNSsec and network management.
Although the point of digitally signing DNS records is to ensure the authenticity of queries and responses through chains of trust, key exchanges are not required for deploying DNSsec. You can sign your own data and manage your own keys without exchanging them with parent or delegate zones. At this point, that is all the Office of Management and Budget requires.
“Get your data signed,” Toense said. “Make yourself an island,” which is what NIST did in 2007. “We had to get started. It’s not perfect, but we will refine it.”
In addition, know what you are doing before you plug a new system in to a production network. Walk through the scenarios first, and leave a bailout path if things don’t work properly. NIST established a Secure Naming Infrastructure Pilot (www.dnsops.gov) to give administrators some experience managing a signed DNS zone on a live network.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.