NIST releases new draft of Special Publication 800-81 on securing DNS
The second draft incorporates suggestions received from the first revision in March
- By William Jackson
- Aug 27, 2009
Ensuring the availability and integrity of the Domain Name System
(DNS) is an essential element of cybersecurity, and the National
Institute of Standards and Technology (NIST) is updating
recommendations for this in its “Secure Domain Name System (DNS)
A second draft of the proposed revision of Special Publication 800-81 has been released for public comment.
This release incorporates suggestions received on the first draft,
released in March, and also includes guidance on migrating to a new
cryptographic algorithm for signing a zone, for migrating to NSEC3
hashing specifications to provide authenticated denial of existence
response, and a discussion of DNS Security Extensions (DNSSEC) in split
The primary task of DNS is translation between domain names and
numerical IP addresses, to allow online activity over the Internet.
Providing Domain Name resolution services has been identified as a
critical IT function by the Homeland Security Department in its
recently released IT Sector Baseline Risk Assessment.
Among the concerns identified in the assessment in the assessment are a
widespread breakdown of the DNS through a malicious attack, and large
scale denial of services attacks.
Because DNS data by its nature is public, confidentiality is not
a security concern. “The primary security goals for DNS are data
integrity and source authentication, which are needed to ensure the
authenticity of domain name information and maintain the integrity of
domain name information in transit,” the draft publication says.
However, DNS presents some peculiar security challenges, NIST
notes. A spoofed DNS node can deny access to a broad set of Internet
resources for which the node provides information by all clients. If
the integrity of DNS information on an authoritative server is
violated, the chained information retrieval process of DNS can be
broken, resulting in either a denial of service for DNS name resolution
function or misdirection of users to illegitimate resources.
The DNS-specific recommendations laid out by NIST in the deployment guidelines include:
- Implementing appropriate system and network controls for securing
the DNS hosting environment, such as operating system and application
patching, process isolation and network-fault tolerance.
- Protecting DNS transactions such as update of DNS name resolution
data and data replication on DNS nodes in an enterprise’s control using
hash-based message authentication codes.
- Protecting the ubiquitous DNS query/response transaction by using digital signatures based on asymmetric cryptography.
“Part of those recommendations is deployment of the DNS Security
Extensions (DNSSEC) for zone information,” NIST said. The basic steps
for DNSSEC deployment are:
- Installing DNSSEC capable name server.
- Checking zone file(s) for integrity errors.
- Generating a key pair for each zone and including them in the zone file.
- Signing the zone.
- Loading the signed zone onto the server.
- Configuring the name server to turn on DNSSEC processing.
A copy of public key also can be sent to a parent for secure delegation.
The draft is expected to be finalized and published as SP
800-81r1 following the close of the public comment period on Sept. 30.
Comments should be sent to SecureDNS@nist.gov.
William Jackson is a Maryland-based freelance writer.