Search DNSSEC Blog


Wednesday, March 4, 2009

DNSSEC Guidelines being updated

"The National Institute of Standards and Technology is updating its recommendations for meeting the unusual security challenges presented by the Domain Name System (DNS), which underpins much of the Internet by mapping user-friendly domain names to numerical IP addresses.

Achieving those goals requires good network security practices that encompass up-to-date software patches, process isolation and fault tolerance, and the use of the more specific DNS Security Extensions (DNSSEC) to digitally sign and authenticate DNS query and response transactions. Agencies were required to implement DNSSEC in the .gov top-level domain this year. However, the deadline has slipped because the government has been waiting for improvement to the software being used. Second-level domains, such as, are to be signed by the end of the year.

NIST outlined the following basic steps for deploying DNSSEC for zone information:

- Install a DNSSEC-capable name server.Check zone file(s) for possible integrity errors.
- Generate asymmetric key pairs for each zone and include them in the zone file.
- Sign the zone.
- Load the signed zone onto the server.
- Configure the name server to turn on DNSSEC processing.
- Send a copy of the public key to the parent for secure delegation (optional)

In addition to minor textual corrections, the guidance includes the following revisions:

- Updated recommendations for cryptographic parameters based on NIST Special Publication 800-57.
- A discussion of NSEC3 Resource Record in DNSSEC.
- A discussion of DNSSEC in split-view deployments.
-Minor fixes of examples and text.
- Examples based on the name server daemon and Berkeley Internet Name Domain software.

NIST will hold two public commenting periods. The first one ends March 31; send your comments on the updated guidelines to secureDNS(at) In addition to integrity and authentication, ensuring the availability of DNS services and data is also important. DNS components are subject to denial-of-service attacks that seek to block access to the domain names. The NIST document provides guidelines for configuring deployments to prevent many of the denial-of-service attacks targeted at DNS. "

Source: Guidelines for securing DNS being updated, Government Computer News (GNC), William Jackson, Retrieved on March 03, 2009 from

No comments:

Post a Comment