Domain name security isn't easy
Deploying Domain Name System Security Extensions isn’t easy. Federal managers who are responsible for implementing DNSSEC should take steps to make the process as painless as possible, panelists said at the FOSE 2010 trade show in Washington, D.C.
“Start now, take baby steps and test, test, test,” advised Dan Malkovich, a systems engineer at Secure64 of Greenwood Village, Colo.
Malkovich was one of a group of industry officials at a March 24 FOSE session who identified lessons learned from their experiences supporting agency DNSSEC programs.
The .org domain set to sign off on largest DNSSEC implementation to date
DNSSEC implemented in .us registry
DNSSEC adds a layer of security to DNS that verifies the identity and authenticity of domain names when an Internet user accesses them. The Office of Management and Budget mandated that every federal agency implement a standard to secure their DNS infrastructure by the end of 2009. About 80 percent of agencies missed that deadline.
Chris Parker-James, product manager at BlueCat Networks of Toronto, said agencies should take a holistic view as they put DNSSEC in place. “Make the process as transparent as possible," he said.
He added that potential roadblocks to successful deployment include dated and aging hardware and misconfigured firewalls. “Make sure your network is properly configured prior to deploying DNSSEC,” he advised.
Agencies that want DNSSEC as a managed service should look for vendors that guarantee 100 percent uptime, said Michael Young, vice president of product development at Afilias Ltd. of Horsham, Pa. “In turn, you should be able to offer guaranteed services to your customers,” he said. “You should be able to perform maintenances without DNS downtime if are depending on a service provider that has 100 percent uptime.”
Guaranteed uptime is long-term insurance “against outages and all the nasty political and business implications of unanticipated downtime,” Young said. “In some cases, there are safety and emergency issues as well. The Internet has become vital for a lot of those services.”
Young also said DNSSEC increases network traffic. “Not everybody that is servicing their own DNS these days is prepared for that element,” he said. However, “managed DNS service providers have the capacity to add infrastructure.”
Bruce Van Nice, director of product marketing at Nominum Inc. of Redwood City, Calif., warned that “broad DNSSEC rollout will take many years. DNS has to be protected in the meantime.” He suggested that agencies takes measures to maximize their DNS defenses and protect unsigned DNS data during the transition.
Richard W. Walker is a freelance writer based in Maryland.