Energy gets jump on implementing DNS security on ESnet research network
The Energy Department has started implementing Domain Name System Security Extensions on its high-performance Energy Sciences Network (ESnet), using a commercial appliance to digitally sign DNS records and manage cryptographic keys.
The first zones on the network were signed July 8 and it will be at least another month before necessary software updates and testing are completed, and signed records can be published, said R. Kevin Oberman, a network engineer at DOE’s Lawrence Berkeley National Laboratory.
“We’re just getting it cranked up now,” Oberman said. “Thus far, everything is working perfectly.”
DNSSEC is a set of protocols for digitally signing records used by the DNS to translate numerical IP addresses into commonly used domain names. Because DNS transactions underlie most activity on the Internet, assuring the authenticity of this information is crucial to security. The .gov top-level domain was digitally signed in February, and the Office of Management and Budget is requiring agencies to sign second-tier domains within .gov by the end of the year.
ESnet is a network with a 100 gigbits/sec backbone that is used primarily for scientific research. Although the DOE runs the network, its domains are in the .net and .org top-level domains rather than .gov, so the department was not required to sign its records by the OMB mandate. Oberman said the decision to implement DNSSEC was to gain practical experience. OMB also is expected to expand its mandate to include government networks that are outside of .gov.
Outside of government, .org already has been signed and a number of countries have signed their national domains. The National Institute of Standards and Technology, the National Telecommunications and Information Administration, the Internet Corporation for Assigned Names and Numbers, and VeriSign are working on a practical scheme for deploying DNSSEC in the Internet’s authoritative root zone.
Although digitally signing the records is not particularly difficult, managing process and the cryptographic keys securely can be challenging. Companies are developing tools to automate the process. ESnet is using DNS Signer, a dedicated appliance from Secure64 Software Corp.
“My retirement is one of the reasons we decided to go with a hardware solution,” Oberman said. “Running DNS these days is pretty darn simple. I started with it many years ago, when it was much more of a nuts and bolts operation.”
He said he expects to retire in two years and does not want to leave a DNSSEC implementation that would require his successor to have the same level of expertise he has. “It had to be an appliance.”
DNS Signer was one of only two appliances available in this country, and the only one that provided both the functionality and security needed, Oberman said.
DNS Signer is a “bump in the wire” that receives zone transfers from a master name server as DNS records are updated and propagated throughout the system.
“It’s an appliance that automates all of the DNSSEC operational things,” signing the records before passing them on, and generating and storing keys, said Secure64 Chief Operating Officer Joe Gersch. It has a purpose built operating system to securely store and manage keys so that signing can be done automatically online. It is undergoing certification for the Federal Information Processing Standard for cryptographic modules.
Records are signed daily, and new signing keys are generated every 30 days. The software runs on a Hewlett-Packard’s Integrity rx2660 server.
Although DNS Signer is a name server that can handle up to 100,000 DNS queries a second, it typically is used only for DNSSEC so that an enterprise does not have to replace its existing name servers, Gersch said. This is the way it is being used at ESnet.
The appliances were installed on ESnet, and the first zones were signed the first day, Oberman said. The most complex job was synchronizing two signers, one on each coast to provide redundancy for the system. The task is complicated by the fact that the signers have to exchange private keys securely.
Signing the remaining zones involves only another two or three hours work, but that has been delayed slightly because of needed upgrades to ESnet’s name servers. “We discovered a nasty bug in the name-server software that didn’t show up until we put in DNS Signer,” Oberman said.
Oberman said he believes that DNSSEC eventually will be as simple to manage as the current DNS system.
“People are getting much more serious about writing software that is manageable and maintainable by mere mortals,” he said. “But it won’t happen overnight.”
To agencies that are struggling with plans for DNSSEC, he said, “whatever you do, do it soon.” Until signed records are published with keys, mistakes probably will not impede DNS performance. “When you publish data, you don’t get to make more mistakes. Now is the time to learn about signing and get procedures down.”