In conjunction with OMB, NIST and DHS, GSA determined during testing that an additional feature of the DNSSEC software was required to improve the overall security of the system.
The federal government will delay the implementation of Domain Name System Security Extensions (DNSSEC) in the .gov top-level domain by one month. The .gov domain, which includes the registry, the registrar and the .gov DNS servers, was supposed to have had DNSSEC cryptographic signing by the end of January to prevent hackers from exploiting DNS vulnerabilities.
The General Services Administration, which is the lead agency in securing the .gov top-level domain, announced the delay in conjunction with representatives from the Office of Management and Budget, the National Institute of Standards and Technology, and the Homeland Security Department. GSA officials said they had determined during testing that an additional feature of the DNSSEC software was required to improve the overall security of the system. They said they expect to deploy DNSSEC by the end of February.
The effort to implement DNSSEC on .gov domains was initiated by an Aug. 22, 2008, memo from OMB that required agencies to submit reports by September 2008 describing their current level of compliance with NIST’s DNSSEC standard and a plan detailing how the agency would implement DNSSEC by a December 2009 deadline.
The government was supposed to apply DNSSEC to the .gov top-level domain by January 2009 as a first step toward the signing of all delegated agency subzones, such as gsa.gov.
DNS is a fundamental element of the Internet and IP-based networks. It translates or matches domain names to numeric IP addresses that identify the physical machine hosting a Web site or application.
Because DNS has existed since the early days of the Internet, it was not designed with adequate security measures. As a result, security issues have dogged DNS implementations, including the major flaw Internet security researcher Dan Kaminsky discovered in July 2008. DNS security risks include cache poisoning, in which a user is redirected to a fraudulent Web site masquerading as a legitimate site, potentially tricking the person into providing personal information.
Security patches for DNS and technologies such as DNSSEC have been developed as add-ons to protect the system.
“DNSSEC provides cryptographic protections to DNS communication exchanges, thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet,” the OMB memo states.
Although DNSSEC has been around for about a decade, it has seen limited implementation. However, its necessity is quickly becoming obvious and is gaining worldwide attention. Network administrators are struggling to implement the cryptographic signing mechanism, which seems to be more cumbersome than expected, and are looking to software and hardware-based solutions for assistance.
Government officials said that although they missed the January deadline, they intend to meet the new February goal.