Dot-mil leads DNS security upgrade

Government agencies — especially in the Defense Department — are expected to be early adopters of an emerging technology that promises to improve Internet security by preventing hackers from redirecting Web traffic to bogus sites.

The new security mechanism, dubbed DNSSEC, plugs a hole in the Internet's Domain Name System (DNS) that hackers have exploited to spoof Web sites. DNSSEC prevents these attacks by allowing Web sites to verify their domain names and corresponding Internet Protocol addresses using digital signatures and public-key encryption.

The U.S. military plans to roll out DNSSEC on the .mil domain during the next year.

"DNSSEC is going to be a huge advancement for security on the Net," said Mark Kosters, vice president of research at Network Solutions Inc.

DNSSEC is now available in open-source software called BIND 9 that was released last month, and it will be bundled in upcoming releases of operating systems from Sun Microsystems Inc., Hewlett-Packard Co., Red Hat Inc. and others.

Early adopters of DNSSEC will likely include government agencies, financial services firms and business-to-business exchanges, which all need to ensure the authenticity of the content on their Web sites.

The DNSSEC portion of BIND 9 was funded by the Defense Information Systems Agency (DISA), which awarded a $2 million contract to the Internet Software Consortium and NAI Labs to develop an operational version of DNSSEC.

"DNS servers are critical to the health and well-being of all DOD data communications, as well as that of our allies and trading partners," DISA said in a statement. "DNS has had some well-publicized security issues over the last several years, and DNSSEC was developed...to address these."

DISA has been testing DNSSEC for more than a year and is now working on guidelines for DOD organizations to implement DNSSEC.

But DISA will not wait for BIND 9 to be fully tested to migrate to DNSSEC; instead, the military plans to install BIND 8 with DNSSEC bolted on top.

Experts say DNSSEC requires more powerful hardware and a significant increase in management time than earlier versions of the BIND software running on most DNS servers. That extra effort may slow down the adoption rate.

For DNSSEC to work most effectively, the end user's local DNS server and the Web site's DNS server must support DNSSEC, along with the Internet's root and top-level domain servers. When all of these pieces are in place, the Web site's DNS server uses public-key encryption to send out a digital signature to the local DNS server to verify the authenticity of the Web site. Once the authenticity is confirmed, the end user can access the Web site.

BIND 9 is the first production software to support all the features of DNSSEC. Distributed by the Internet Software Consortium, BIND 9 is a complete rewrite of the open-source code used to run most DNS servers.

For more information about enterprise networking, go to Network World Fusion. Story copyright 2000 Network World Inc. All rights reserved. Distributed by IDG News Service.