DNSsec deadline looms

A requirement for all agencies to apply a security fix to their Web sites by the end of the year is hardly the most onerous mandate the Office of Management and Budget has ever issued, which is why it might catch some agencies by surprise.

The fix for Domain Name System (DNS) servers will prevent hackers from intercepting Web traffic and redirecting it to phony sites that can trick people into supplying personal information, such as a fake Internal Revenue Service site that looks like the real thing.

Agencies might be expecting to spend a lot of money on technology, but they’ll likely discover that staff time is the biggest investment they'll need to make as they implement DNS Security Extensions. That was the case for the National Institute of Standards and Technology, one of the few agencies already using DNSsec to cryptographically authenticate, or sign, its subdomain (NIST.gov) as required by OMB’s mandate, which sets a December 2009 deadline.

“From a technical perspective, it’s not that hard, but logistically, there are a lot of places to trip up,” said Robert Toense, an electronics engineer at NIST’s Office of the Chief Information Officer. The agency’s work included reconfiguring some network operations and developing new security procedures.

An OMB official said all agencies have taken the first step toward meeting the deadline by filing their DNSsec deployment plans with the office. But so far, only NIST and the Office of Personnel Management have finished the work.

The absence of an obligatory big-ticket purchase could be one reason the DNS mandate hasn’t stirred a greater sense of urgency. Government executives might also have the impression that DNSsec doesn’t provide a direct benefit to their agencies, so they haven’t made it a priority, said Alan Paller, director of research at the SANS Institute, an information security research and education organization. But he said such views miss the point.

“This is a big deal because people can’t trust the government,” Paller said, adding that the overwhelming majority of Web sites, including commercial ones, do not use DNSsec. Although moves are afoot in the private sector to change that, “the government should lead by example.”

Careful planning required

NIST started its DNSsec project more than a year ago and discovered that it wouldn’t be as easy as flipping a switch on its DNS servers. Officials were prompted to act by a more limited requirement under the Federal Information Security Management Act dating to December 2006. It recommends that agencies take initial steps to deploy DNSsec only on the most sensitive authoritative DNS servers — those categorized as having a high or moderate impact on agency operations.

Last summer, OMB raised the bar with a memo issued Aug. 22 that orders agencies to implement DNSsec on all authoritative DNS servers by December 2009.

OMB’s memo couldn’t have been more timely. A month earlier, security researcher Dan Kaminsky announced that he had discovered a security flaw in the DNS software that hackers could exploit to introduce false information into the Internet’s routing system and trick users into visiting phony sites.

DNSsec can prevent those kinds of shenanigans through a system called asymmetric key cryptography. With that approach, the operator of an Internet server can use a secret key to create a coded digital signature for that server and then share a public key that others can use to verify the authenticity of the signature and thus the site.

Managing those key pairs is one of the challenges of implementing DNSsec because it necessitates new routines for the information technology department, Toense said.

NIST’s situation was complicated because network administrators had split their DNS operations into some 200 zones to give offices more control over their computing resources. If they had left that situation unchanged, administrators would have needed to generate and maintain separate DNSsec key pairs for all 200 zones.

In addition, like many agencies, NIST operates a split DNS infrastructure for security reasons, so there are two views of the agency’s network resources: a public view for the outside world and an internal view for NIST employees. That approach doubles the number of key pairs required.

Consequently, NIST officials consolidated the 200 DNS zones into 20 and created a centralized management system. The process took several weeks and careful planning to avoid system disruptions, Toense said.

NIST has not bought any new products to help it deploy DNSsec. Instead, it generates the cryptographic keys using its existing DNS server software, Berkeley Internet Name Domain.

However, many more steps are involved that standard DNS software cannot handle, such as creating new keys every 30 days as recommended, securely transferring the keys to parent DNS servers and making sure that the new keys have been received before removing the previous ones.

Toense created the procedures that he and other network administrators follow to handle those steps. “It’s one of those things that is not really that difficult but has to be done carefully,” he said.

However, larger agencies and those with more complex IT infrastructures might need to involve multiple administrators and departments, said Scott Rose, a computer scientist at NIST and co-author of Special Publication 800-81 “Secure Domain Name System Deployment Guide.” OMB has directed agencies to follow those guidelines.

A DNSsec deployment might involve network administrators, DNS administrators — if they are separate roles — IT security employees to manage the keys and the appropriate managers to ensure that the agency has a consistent policy, Rose said.

Agencies with more complex DNS operations might want to automate the domain name and security management tasks. Now that the government has mandated DNSsec and the standard is gaining steam in the private sector, analysts expect companies that sell DNS and IP address management solutions to add DNSsec capabilities.

Such automated solutions might be more economical for some agencies than having employees do the work manually, and there is the added benefit of reducing the risk of configuration mistakes as agency networks grow more complex, said Branko Miskov, director of product management at BlueCat Networks. The company’s products cost about $70,000 for a typical agency installation.

“A little configuration error can result in a DNS outage, which can bring the network to a grinding halt,” Miskov said. In addition to Web sites, such failures can affect other applications and resources that increasingly rely on IP addresses, such as e-mail, voice-over-IP telephony and even office printers.