U.S. misses DNS security deadline

One month delay for signing .gov caused by software glitch, feds say

The federal government missed its first deadline for rolling out DNS security mechanisms on its .gov top-level domain.

Federal officials now say they will cryptographically sign .gov by the end of February, one month behind their original schedule.

Federal agencies were required to deploy DNS Security Extensions (DNSSEC) on the .gov top-level domain by January 2009 and on all sub-domains by December 2009 under an Office of Management and Budget (OMB) mandate issued last year.  

DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

DNSSEC is the only foolproof way to prevent cache poisoning attacks, where a hacker redirects traffic from a legitimate Web site to a fake one without the user knowing. These attacks are a result of a significant DNS flaw known as the Kaminsky Bug, which was discovered this summer.

The U.S. General Services Administration (GSA) said Monday that it will deploy DNSSEC on .gov by the end of February.

"Careful and precise acceptance testing on this software was performed and reviewed by a team from OMB, GSA, [National Institutes of Standards and Technology] and [Department of Homeland Security]," the statement said. "During these reviews, it was determined by the team that this software would benefit from a change to improve functionality, which has caused a one-month delay in the implementation schedule."

The U.S. federal government's delay may be a sign that DNSSEC is harder to deploy than previously thought.

"DNSSEC isn't as easy as most people think," says Rodney Joffe, senior vice president for NeuStar's UltraDNS division, which offers managed DNSSEC services for top-level domain operators. "It's not as simple as signing the zone. There are provisioning issues, there are key roll-over issues, and there are a number of administration processes that have to be in place before you can roll-out DNSSEC."

Joffe says the federal government's DNSSEC delay isn't a surprise. "Nonetheless, it's quite impressive how far they've come. The delay is not that significant," he added.

In the decade since the Internet standards was created, DNSSEC has been deployed by only a handful of countries, including Sweden, Puerto Rico, Bulgaria, Brazil and the Czech Republic.  

DNSSEC expert Olaf Kolkman, CEO of NLnet Labs and chair of the Internet Architecture Board, says he doesn't think the delay in signing .gov is significant.

"The train is on steam," Kolkman says of the U.S. government's DNSSEC deployment plan.  

In other DNSSEC news, NIST has purchased software from Secure64 called DNS Signer for use in its DNSSEC testing lab.  

"This is an important deal obviously because NIST is a pretty important client within the federal government space," says Mark Beckett, vice president of marketing for Secure64. "We are talking to and engaged with many agencies because the mandate is for them to deploy DNSSEC by the end of 2009. Many agencies are looking at our software, but NIST is the first actual customers within that space."

Scott Rose, a computer scientist with NIST's Information Technology Laboratory, says DNS Signer was one of several DNSSEC products that NIST has purchased for its testbed.

"NIST has obtained several products for use with the Secure Naming Infrastructure Pilot," Rose says. "The goal of SNIP is to provide a testbed for various network solutions and to assist U.S. federal agency DNS operators [to] learn and develop DNSSEC operational experience before deployment on their production zones. The SNIP team is willing to work with all providers in testing and experimentation."

Experts say it's critical for the U.S. government to maintain its schedule to have DNSSEC fully deployed across all .gov sub-domains by December 2009. They also say it's important for the DNS root zone to be signed.  

"There is no question there is a need for DNSSEC," Joffe says. "We are now seeing cache poisoning attacks in the wild…Signing the zone needs to happen this calendar year."

Learn more about this topic

Experts to Feds: Sign the DNS root ASAP

DNSSEC and DNS Security

New open source DNS server released
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies