NIST SP 800-81 Revision 1

"When you type www.irs.gov—or the Web address of your bank or an e-commerce site—into your web browser, you want to be sure that no one is hijacking your request and sending you to a bogus look-alike page. You’re relying on the integrity of the Internet’s “phone book,” the Domain Name System (DNS).

Computer scientists at the National Institute of Standards and Technology (NIST) are playing a major role in making sure that what you type is what you get by providing standards, guidance and testing necessary to bolster the trustworthiness of the global DNS. A draft update of NIST’s guidelines for DNS security is now available for public comment. "

Source: Safer Net Surfing Is Goal of NIST Domain Name Security Experts, NIST, Retrieved on 03/16/2009 from nist.gov/public_affairs/techbeat/tb2009_0310.htm#dns

ISC Introduces DLV Web Interface for Rapid DNSSEC Deployment

ISC announced a new web-based interface for its DNSSEC Look-aside Validation (DLV) registry, a mechanism to allow domain holders to secure their domain information using the DNSSEC protocol extension to DNS in advance of a signed root or TLD zone.

ISC is introducing DLV and other DNSSEC and secure DNS services at the Government Security (GovSec) Expo and Conference in Washington, D.C. The new interface makes it easier for DNS administrators to join the DLV registry and maintain their data. DLV means that DNS administrators aren't dependent on others to get the full benefit of DNSSEC for their own portion of the name space.

For more information about ISC's DLV registry and DNSSEC services, please visit https://dlv.isc.org/

Kaminsky Reluctant on DNSSEC

Dan Kaminsky, director of penetration testing at IOActive, got a lot of attention last year when he discovered a flaw in the Domain Name System, which underlies the Internet, that could allow poisoning of DNS caches. Since then, he said, he has become a believer in the DNS Security Extensions (DNSsec) for digitally signing DNS servers so that queries and responses can be trusted.

“I’ve never been a DNSsec supporter,” he said at the recent Black Hat DC security conference in Arlington, Va. But nothing scales like DNS, he said, including security tools. So he sees no other solution but to use DNSsec.

That doesn’t mean he’s happy about it. He said DNSsec is too complex to implement and administer, sentiments shared by many who have worked with the technology. But help is on the way as vendors develop appliances to automate the processes that generate and update keys and do the signing.

In the meantime, 25 percent of DNS servers have not been updated with the quick-fix patch issued last year for the vulnerability, and stealthy exploits have appeared. Kaminsky estimated that 1 percent to 3 percent of unpatched servers have been poisoned. It’s never too late to patch your servers, and it’s easier than implementing DNSsec.

Source: Government Computer News, "Kaminsky embraces DNSsec, reluctantly", Retrieved from gcn.com/articles/2009/03/09/cybereye-box-dnssec.aspx from Mar 06, 2009

dot-GOV DNSSEC Signed

The Dot-GOV top-level domain is now an active DNSSEC signed zone. All dot-GOV delegation DNSSEC information added to U.S. government agencies domain delegation records is now considered signed by the dot-GOV TLD.

A GSA hosted website has been developed (dotgov.gov/dnssecinfo.aspx) to support the project and for hosting a link to the current dot-GOV public key (plain text file - dotgov.gov/publickey.txt), which should be used as the published trust anchor for dot-GOV. The site also includes additional links and help pages for implementing DNSSEC for U.S. federal agencies dot-GOV domains.

Government implements DNSSEC on the .gov domain

The government has digitally signed the .gov top-level domain, effectively implementing the Domain Name System Security Extensions (DNSSEC) protocols throughout the top tier of the federal Internet space.

“On Feb. 28, 2009, DNSSEC became operational on .gov after the program successfully completed all required DNSSEC testing,” the General Services Administration, lead agency in the program, said today in a statement.

The signing came one month after the January deadline set by the Office of Management and Budget in August. The deadline had been pushed back when GSA officials found during testing that an additional feature was needed in the DNSSEC software being used.

“The .gov DNSSEC public key was registered [Feb. 28] with the Internet Assigned Numbers Authority (IANA) Interim Trust Anchor Repository (iTAR) and became available for use as the published trust anchor for .gov validation,” GSA said in its statement. “The .gov Top Level Domain is now considered an active DNSSEC signed zone.”

The next step in the governmentwide effort to better secure its DNS is for agencies to begin deploying DNSSEC within their second-level domains, such as gsa.gov, by the end of the year.

Source: Government Computer News, "Government implements DNSSEC on the .gov domain", William Jackson, Retrieved from gcn.com/articles/2009/03/05/dnssec-on-dot-gov.aspx from Mar 05, 2009

DNSSEC Guidelines being updated

"The National Institute of Standards and Technology is updating its recommendations for meeting the unusual security challenges presented by the Domain Name System (DNS), which underpins much of the Internet by mapping user-friendly domain names to numerical IP addresses.

Achieving those goals requires good network security practices that encompass up-to-date software patches, process isolation and fault tolerance, and the use of the more specific DNS Security Extensions (DNSSEC) to digitally sign and authenticate DNS query and response transactions. Agencies were required to implement DNSSEC in the .gov top-level domain this year. However, the deadline has slipped because the government has been waiting for improvement to the software being used. Second-level domains, such as nist.gov, are to be signed by the end of the year.

NIST outlined the following basic steps for deploying DNSSEC for zone information:

- Install a DNSSEC-capable name server.Check zone file(s) for possible integrity errors.
- Generate asymmetric key pairs for each zone and include them in the zone file.
- Sign the zone.
- Load the signed zone onto the server.
- Configure the name server to turn on DNSSEC processing.
- Send a copy of the public key to the parent for secure delegation (optional)

In addition to minor textual corrections, the guidance includes the following revisions:

- Updated recommendations for cryptographic parameters based on NIST Special Publication 800-57.
- A discussion of NSEC3 Resource Record in DNSSEC.
- A discussion of DNSSEC in split-view deployments.
-Minor fixes of examples and text.
- Examples based on the name server daemon and Berkeley Internet Name Domain software.

NIST will hold two public commenting periods. The first one ends March 31; send your comments on the updated guidelines to secureDNS(at)nist.gov In addition to integrity and authentication, ensuring the availability of DNS services and data is also important. DNS components are subject to denial-of-service attacks that seek to block access to the domain names. The NIST document provides guidelines for configuring deployments to prevent many of the denial-of-service attacks targeted at DNS. "

Source: Guidelines for securing DNS being updated, Government Computer News (GNC), William Jackson, Retrieved on March 03, 2009 from gcn.com/articles/2009/03/03/dns-security.aspx

Afilias to Provide 1-Click DNSSEC Service to Simplify DNS Security Rollout

GovSec 2009/booth # 301

DUBLIN--(BUSINESS WIRE)-Today Afilias announced the beta launch of 1-Click DNSSEC TM , an enhancement to its Managed DNS Service, that allows organizations, corporations and government agencies to enable DNS Security Extensions (DNSSEC) on their domains, quickly and easily. Afilias is currently accepting ‘proof of concept’ testing customers and expects to officially rollout 1-Click DNSSEC TM as a service available to all of the Afilias Managed DNS customers later this year.

“Afilias’ 1-Click DNSSEC makes it simple and cost-effective to implement DNSSEC, as it requires no new customer hardware or software and it eliminates customer worries about issuing, distributing or maintaining DNSSEC keys,” said John Kane, Vice President of Corporate Services for Afilias. “DNSSEC adoption has been slowed in the past by these costly and complex stumbling blocks, but Afilias has solved these problems. 1-Click DNSSEC is a complete solution and allows anyone to sign their zone with one simple click.”

Afilias’ 1-Click DNSSEC is an add-on service to its Managed DNS product that already provides users with the most diverse, globally available infrastructure to manage traffic to their Web presence.

In addition to Afilias’ 100% uptime guarantee, 1-Click DNSSEC TM will provide users with:

- Automatic creation of the public/private keys required for DNSSEC
- Seamless key management and key rollover
- Easy coordination with participating ICANN-accredited registrars sponsoring the domains to be signed
- Distribution of public keys to parent zones, Trust Anchor Repositories and DNSSEC Look-Aside Validation (DLV) registries.

Source: businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090302006014&newsLang=en