Why .gov went dark

Government domain websites were down for several hours Aug. 14, probably because of a technical problem related to security.

FierceGovernmentIT reported that the outage was "likely caused by a failure to update a cryptographic key necessary for DNSSEC," citing cybersecurity researcher Johannes Ullrich, who first blogged about the outage. Ullrich is the dean of research at the SANS Technology Institute.

DNSSEC stands for Domain Name System Security Extensions, and government websites have made use of them since 2009 for security purposes. DNSSEC uses "key signing keys" to validate "zone signing keys" to verify that the typed-in URL loads the correct Internet protocol address, according to the report.

In plain English, the zone signing keys, which are changed frequently, compute encoded "signatures" for the domain name server of a given website. The key signing key, changed much less often, "signs" the zone signing key. The two keys together establish that the website is the one it claims to be. (See this document at ICANN.org for more information.)

"I think they published a new [key signing key] but forgot to update the new [delegation of signing] record to the root zone," Ullrich told FierceGovernmentIT. "That likely meant that DNS resolvers were sending the wrong cryptographic hash to the government root, meaning that browser requests couldn't be resolved.

Ullrich said government webmasters probably reverted back to the old key signing key to prevent further outage.

A General Services Administration official confirmed the outage to FCW and acknowledged it was related to a DNSSEC error. The outage would have affected only users on unsecure networks, the official said.