Defense Department faces hurdles with DNS Security

The U.S. military's years-long effort to deploy DNS Security is a good example of how difficult it is for enterprises to retrofit their networks with security fixes to the Internet's underlying protocols.

An early and ongoing participant in the development of DNS Security, the Defense Department has worked both directly and through contractors to prepare .mil to be the Internet's first domain to deploy DNS Security. Yet despite efforts going back at least five years, .mil remains vulnerable to hackers who want to spoof one of its Web sites by exploiting well-known holes in DNS.

DNS Security adds digital signatures and public key encryption to the DNS' hierarchical, distributed database system to verify that a domain name matches a corresponding IP address. Developed by the Internet Engineering Task Force, DNS Security was issued as a proposed standard in November, 2000.

Since then, the Defense Information Systems Agency has been working to deploy DNS Security across the thousands of applications servers in use today on .mil that provide Web, e-mail and other services. The upgrade involves migrating all of these servers to the latest version of Berkeley Internet Name Domain (BIND) software, 9.2.1, which supports DNS Security.

DISA officials say they are deploying DNS Security in two phases. First they are rolling out the Secret Key Transaction Authentication for DNS, dubbed TSIG. TSIG provides transaction-level authentication for the dynamic updates coming from DNS clients as well as the responses sent by DNS servers. Next, DISA will deploy Signed Zones, which uses digital signatures to verify information for a particular spot in the DNS hierarchy.

Together, TSIG and Signed Zones will ensure that the .mil ``domain name information and transactions are genuine,'' a DISA spokesman says. ``DISA plans to implement both Transaction Authentication and Signed Zone as soon as technically feasible.''

DISA is rolling out TSIG on DNS servers under its control at the highest levels of the .mil hierarchy, a process that will be completed by the end of the calendar year. DISA then plans to coordinate with the military's Joint Staff to address TSIG deployment on DNS servers under the control of various military services and agencies.

DISA will not start signing zones under the .mil domain until the IETF finalizes a companion specification called Delegation Signer Resource Record. Delegation Signer streamlines how parent domains hand out keys to child domains. The IETF is expected to complete Delegation Signer before the end of the year.

``We strongly support the [Delegation Signer] record, and DISA's implementation will depend on its stability,'' the DISA spokesman says. ``With [Delegation Signer] support available, several issues with DNS Security key management will become much simpler and will be better for DOD in the long run.''

DISA says it will begin signing the .mil zone once Delegation Signer support is stable in BIND 9.3. That's not likely to happen until the middle of 2003, experts say.