NIST releases new draft of Special Publication 800-81 on securing DNS

The second draft incorporates suggestions received from the first revision in March

• By William Jackson
• Aug 27, 2009

Ensuring the availability and integrity of the Domain Name System (DNS) is an essential element of cybersecurity, and the National Institute of Standards and Technology (NIST) is updating recommendations for this in its “Secure Domain Name System (DNS) Deployment Guide."

A second draft of the proposed revision of Special Publication 800-81 has been released for public comment.

This release incorporates suggestions received on the first draft, released in March, and also includes guidance on migrating to a new cryptographic algorithm for signing a zone, for migrating to NSEC3 hashing specifications to provide authenticated denial of existence response, and a discussion of DNS Security Extensions (DNSSEC) in split view deployments.

The primary task of DNS is translation between domain names and numerical IP addresses, to allow online activity over the Internet. Providing Domain Name resolution services has been identified as a critical IT function by the Homeland Security Department in its recently released IT Sector Baseline Risk Assessment. Among the concerns identified in the assessment in the assessment are a widespread breakdown of the DNS through a malicious attack, and large scale denial of services attacks.

Because DNS data by its nature is public, confidentiality is not a security concern. “The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit,” the draft publication says.

However, DNS presents some peculiar security challenges, NIST notes. A spoofed DNS node can deny access to a broad set of Internet resources for which the node provides information by all clients. If the integrity of DNS information on an authoritative server is violated, the chained information retrieval process of DNS can be broken, resulting in either a denial of service for DNS name resolution function or misdirection of users to illegitimate resources.

The DNS-specific recommendations laid out by NIST in the deployment guidelines include:

• Implementing appropriate system and network controls for securing the DNS hosting environment, such as operating system and application patching, process isolation and network-fault tolerance.
• Protecting DNS transactions such as update of DNS name resolution data and data replication on DNS nodes in an enterprise’s control using hash-based message authentication codes.
• Protecting the ubiquitous DNS query/response transaction by using digital signatures based on asymmetric cryptography.

“Part of those recommendations is deployment of the DNS Security Extensions (DNSSEC) for zone information,” NIST said. The basic steps for DNSSEC deployment are:

• Installing DNSSEC capable name server.
• Checking zone file(s) for integrity errors.
• Generating a key pair for each zone and including them in the zone file.
• Signing the zone.
• Loading the signed zone onto the server.
• Configuring the name server to turn on DNSSEC processing.

A copy of public key also can be sent to a parent for secure delegation.

The draft is expected to be finalized and published as SP 800-81r1 following the close of the public comment period on Sept. 30. Comments should be sent to SecureDNS@nist.gov.