The federal government did reach a milestone early last year when the National Institute of Standards and Technology and the General Services Administration successfully implemented DNSSEC to the top-level dot.gov domain. DNSSEC adds a cryptographic layer to DNS communication exchanges, helping to reduce the threat of DNS-based attacks. But most individual agencies still haven't met an Office of Management and Budget mandate to secure second-level domains beneath dot.gov, a key step in securing the government's networks.
Issued in August 2008, OMB's memorandum for chief information officers required agencies to digitally sign their sub-domains by December 2009. About 80% of agencies missed that deadline, despite the fact that deployment of DNSSEC at the top-level dot.gov domain should have helped simplify lower-level domain signing.
In addition to the OMB mandate, agencies are under pressure to meet tougher DNSSEC requirements under the Federal Information Security Management Act (FISMA) in August. FISMA's DNSSEC-related rules apply "to all [dot.gov] levels and that's a lot more stringent," said Scott Rose, a computer scientist and DNSSEC project lead at NIST.
Most agencies are in the process of trying to catch up, said Scott Rose, co-author of NIST's Secure Domain System Deployment Guide, a document designed to help agencies secure their sub-domains. Part of the problem for agencies is that DNS security—requiring DNS queries and responses to be digitally signed so they can be authenticated—is relatively new technologically, Rose said. DNSSEC "changes something that was taken for granted," he said. "Before, you set it up once and maybe you touched it every couple of months—every time you had a new host or something. DNSSEC changes that. Now you have to do a lot more management than you did before."
Additional management tasks include:
- Managing cryptographic keys and digital signatures that have expiration dates
- Closely monitoring the impact of DNSSEC, which increases traffic, on network performance
The minority of agencies that have effectively completed DNSSEC, including NIST, tend to be smaller organizations that run their own information technology operations.
"NIST has its own IT shop that does all this, so it's pretty easy for us to do it," Rose said. "Some other agencies [such as the Energy Department] that also run their own IT shops didn't have any problems deploying."
It's a different story for large, diverse federal agencies and departments, especially those whose systems have dated software and aging hardware. DNNSEC "may require upgrades, either hardware or software—or both," Rose said. "It depends on what you have right now."
Other large departments are still wrestling with ways of how to approaching DNSSEC—for example, whether to acquire it as a managed service or buy a product that automates the process.
The bottom line is that full implementation of DNSSEC will take years, not weeks.
The second part of this story will look at what agencies that are lagging behind need to do to catch up.
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.
This was first published in May 2010