DNS Security

Walk, don't run, to DNSsec deployment

Deploying the Domain Name System Security Extensions is a complicated process, but agencies must do it this year. The advice from those who have experience with the process is to walk before you run.

“Do it in baby steps,” said Robert Toense, an electronics engineer at the National Institute of Standards and Technology’s Office of the Chief Information Officer. “Be careful and think about it. Don’t rush into it.”

First, “do a quick exam of how DNS is being used” on your network, said Scott Rose, a computer scientist at NIST. “This is an opportunity to look at how you’re doing things and improve it.”

NIST enhanced its situation by reducing the number of partitioned zones on its network — each of which requires its own signing keys — from about 200 to about 15, simplifying DNSsec and network management.

Although the point of digitally signing DNS records is to ensure the authenticity of queries and responses through chains of trust, key exchanges are not required for deploying DNSsec. You can sign your own data and manage your own keys without exchanging them with parent or delegate zones. At this point, that is all the Office of Management and Budget requires.

“Get your data signed,” Toense said. “Make yourself an island,” which is what NIST did in 2007. “We had to get started. It’s not perfect, but we will refine it.”

In addition, know what you are doing before you plug a new system in to a production network. Walk through the scenarios first, and leave a bailout path if things don’t work properly. NIST established a Secure Naming Infrastructure Pilot (www.dnsops.gov) to give administrators some experience managing a signed DNS zone on a live network.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected