Dot-mil leads DNS security upgrade
- By Carolyn Duffy Marsan
- Oct 18, 2000
Government agencies especially in the Defense Department are expected
to be early adopters of an emerging technology that promises to improve
Internet security by preventing hackers from redirecting Web traffic to
The new security mechanism, dubbed DNSSEC, plugs a hole in the Internet's
Domain Name System (DNS) that hackers have exploited to spoof Web sites.
DNSSEC prevents these attacks by allowing Web sites to verify their domain
names and corresponding Internet Protocol addresses using digital signatures
and public-key encryption.
The U.S. military plans to roll out DNSSEC on the .mil domain during
the next year.
"DNSSEC is going to be a huge advancement for security on the Net,"
said Mark Kosters, vice president of research at Network Solutions Inc.
DNSSEC is now available in open-source software called BIND 9 that was
released last month, and it will be bundled in upcoming releases of operating
systems from Sun Microsystems Inc., Hewlett-Packard Co., Red Hat Inc. and
Early adopters of DNSSEC will likely include government agencies, financial
services firms and business-to-business exchanges, which all need to ensure
the authenticity of the content on their Web sites.
The DNSSEC portion of BIND 9 was funded by the Defense Information Systems
Agency (DISA), which awarded a $2 million contract to the Internet Software
Consortium and NAI Labs to develop an operational version of DNSSEC.
"DNS servers are critical to the health and well-being of all DOD data
communications, as well as that of our allies and trading partners," DISA
said in a statement. "DNS has had some well-publicized security issues over
the last several years, and DNSSEC was developed...to address these."
DISA has been testing DNSSEC for more than a year and is now working
on guidelines for DOD organizations to implement DNSSEC.
But DISA will not wait for BIND 9 to be fully tested to migrate to DNSSEC;
instead, the military plans to install BIND 8 with DNSSEC bolted on top.
Experts say DNSSEC requires more powerful hardware and a significant
increase in management time than earlier versions of the BIND software running
on most DNS servers. That extra effort may slow down the adoption rate.
For DNSSEC to work most effectively, the end user's local DNS server
and the Web site's DNS server must support DNSSEC, along with the Internet's
root and top-level domain servers. When all of these pieces are in place,
the Web site's DNS server uses public-key encryption to send out a digital
signature to the local DNS server to verify the authenticity of the Web
site. Once the authenticity is confirmed, the end user can access the Web
BIND 9 is the first production software to support all the features
of DNSSEC. Distributed by the Internet Software Consortium, BIND 9 is a
complete rewrite of the open-source code used to run most DNS servers.
For more information about enterprise networking, go to Network World Fusion. Story copyright 2000 Network World Inc. All rights
reserved. Distributed by IDG News Service.