DNSsec deadline looms

A requirement for all agencies to apply a security fix to their Web sites by the end of the year is hardly the most onerous mandate the Office of Management and Budget has ever issued, which is why it might catch some agencies by surprise.

The fix for Domain Name System (DNS) servers will prevent hackers from intercepting Web traffic and redirecting it to phony sites that can trick people into supplying personal information, such as a fake Internal Revenue Service site that looks like the real thing.

Agencies might be expecting to spend a lot of money on technology, but they’ll likely discover that staff time is the biggest investment they'll need to make as they implement DNS Security Extensions. That was the case for the National Institute of Standards and Technology, one of the few agencies already using DNSsec to cryptographically authenticate, or sign, its subdomain (NIST.gov) as required by OMB’s mandate, which sets a December 2009 deadline.

“From a technical perspective, it’s not that hard, but logistically, there are a lot of places to trip up,” said Robert Toense, an electronics engineer at NIST’s Office of the Chief Information Officer. The agency’s work included reconfiguring some network operations and developing new security procedures.

An OMB official said all agencies have taken the first step toward meeting the deadline by filing their DNSsec deployment plans with the office. But so far, only NIST and the Office of Personnel Management have finished the work.

The absence of an obligatory big-ticket purchase could be one reason the DNS mandate hasn’t stirred a greater sense of urgency. Government executives might also have the impression that DNSsec doesn’t provide a direct benefit to their agencies, so they haven’t made it a priority, said Alan Paller, director of research at the SANS Institute, an information security research and education organization. But he said such views miss the point.

“This is a big deal because people can’t trust the government,” Paller said, adding that the overwhelming majority of Web sites, including commercial ones, do not use DNSsec. Although moves are afoot in the private sector to change that, “the government should lead by example.”

Careful planning required

NIST started its DNSsec project more than a year ago and discovered that it wouldn’t be as easy as flipping a switch on its DNS servers. Officials were prompted to act by a more limited requirement under the Federal Information Security Management Act dating to December 2006. It recommends that agencies take initial steps to deploy DNSsec only on the most sensitive authoritative DNS servers — those categorized as having a high or moderate impact on agency operations.

Last summer, OMB raised the bar with a memo issued Aug. 22 that orders agencies to implement DNSsec on all authoritative DNS servers by December 2009.

OMB’s memo couldn’t have been more timely. A month earlier, security researcher Dan Kaminsky announced that he had discovered a security flaw in the DNS software that hackers could exploit to introduce false information into the Internet’s routing system and trick users into visiting phony sites.

DNSsec can prevent those kinds of shenanigans through a system called asymmetric key cryptography. With that approach, the operator of an Internet server can use a secret key to create a coded digital signature for that server and then share a public key that others can use to verify the authenticity of the signature and thus the site.

Managing those key pairs is one of the challenges of implementing DNSsec because it necessitates new routines for the information technology department, Toense said.

NIST’s situation was complicated because network administrators had split their DNS operations into some 200 zones to give offices more control over their computing resources. If they had left that situation unchanged, administrators would have needed to generate and maintain separate DNSsec key pairs for all 200 zones.

In addition, like many agencies, NIST operates a split DNS infrastructure for security reasons, so there are two views of the agency’s network resources: a public view for the outside world and an internal view for NIST employees. That approach doubles the number of key pairs required.

Consequently, NIST officials consolidated the 200 DNS zones into 20 and created a centralized management system. The process took several weeks and careful planning to avoid system disruptions, Toense said.

NIST has not bought any new products to help it deploy DNSsec. Instead, it generates the cryptographic keys using its existing DNS server software, Berkeley Internet Name Domain.

However, many more steps are involved that standard DNS software cannot handle, such as creating new keys every 30 days as recommended, securely transferring the keys to parent DNS servers and making sure that the new keys have been received before removing the previous ones.

Toense created the procedures that he and other network administrators follow to handle those steps. “It’s one of those things that is not really that difficult but has to be done carefully,” he said.

However, larger agencies and those with more complex IT infrastructures might need to involve multiple administrators and departments, said Scott Rose, a computer scientist at NIST and co-author of Special Publication 800-81 “Secure Domain Name System Deployment Guide.” OMB has directed agencies to follow those guidelines.

A DNSsec deployment might involve network administrators, DNS administrators — if they are separate roles — IT security employees to manage the keys and the appropriate managers to ensure that the agency has a consistent policy, Rose said.

Agencies with more complex DNS operations might want to automate the domain name and security management tasks. Now that the government has mandated DNSsec and the standard is gaining steam in the private sector, analysts expect companies that sell DNS and IP address management solutions to add DNSsec capabilities.

Such automated solutions might be more economical for some agencies than having employees do the work manually, and there is the added benefit of reducing the risk of configuration mistakes as agency networks grow more complex, said Branko Miskov, director of product management at BlueCat Networks. The company’s products cost about $70,000 for a typical agency installation.

“A little configuration error can result in a DNS outage, which can bring the network to a grinding halt,” Miskov said. In addition to Web sites, such failures can affect other applications and resources that increasingly rely on IP addresses, such as e-mail, voice-over-IP telephony and even office printers.

About the Author

John Zyskowski is a senior editor of Federal Computer Week. Follow him on Twitter: @ZyskowskiWriter.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group