Dot-mil leads DNS security upgrade

Government agencies — especially in the Defense Department — are expected to be early adopters of an emerging technology that promises to improve Internet security by preventing hackers from redirecting Web traffic to bogus sites.

The new security mechanism, dubbed DNSSEC, plugs a hole in the Internet's Domain Name System (DNS) that hackers have exploited to spoof Web sites. DNSSEC prevents these attacks by allowing Web sites to verify their domain names and corresponding Internet Protocol addresses using digital signatures and public-key encryption.

The U.S. military plans to roll out DNSSEC on the .mil domain during the next year.

"DNSSEC is going to be a huge advancement for security on the Net," said Mark Kosters, vice president of research at Network Solutions Inc.

DNSSEC is now available in open-source software called BIND 9 that was released last month, and it will be bundled in upcoming releases of operating systems from Sun Microsystems Inc., Hewlett-Packard Co., Red Hat Inc. and others.

Early adopters of DNSSEC will likely include government agencies, financial services firms and business-to-business exchanges, which all need to ensure the authenticity of the content on their Web sites.

The DNSSEC portion of BIND 9 was funded by the Defense Information Systems Agency (DISA), which awarded a $2 million contract to the Internet Software Consortium and NAI Labs to develop an operational version of DNSSEC.

"DNS servers are critical to the health and well-being of all DOD data communications, as well as that of our allies and trading partners," DISA said in a statement. "DNS has had some well-publicized security issues over the last several years, and DNSSEC was developed...to address these."

DISA has been testing DNSSEC for more than a year and is now working on guidelines for DOD organizations to implement DNSSEC.

But DISA will not wait for BIND 9 to be fully tested to migrate to DNSSEC; instead, the military plans to install BIND 8 with DNSSEC bolted on top.

Experts say DNSSEC requires more powerful hardware and a significant increase in management time than earlier versions of the BIND software running on most DNS servers. That extra effort may slow down the adoption rate.

For DNSSEC to work most effectively, the end user's local DNS server and the Web site's DNS server must support DNSSEC, along with the Internet's root and top-level domain servers. When all of these pieces are in place, the Web site's DNS server uses public-key encryption to send out a digital signature to the local DNS server to verify the authenticity of the Web site. Once the authenticity is confirmed, the end user can access the Web site.

BIND 9 is the first production software to support all the features of DNSSEC. Distributed by the Internet Software Consortium, BIND 9 is a complete rewrite of the open-source code used to run most DNS servers.

For more information about enterprise networking, go to Network World Fusion. Story copyright 2000 Network World Inc. All rights reserved. Distributed by IDG News Service.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.