Agencies were "caught with their guard down because they were unprepared to deal with it," said Branko Miskov, director of product management at DNS appliance maker BlueCat Networks, which is working with several agencies on DNSSEC deployments.
"We've made pretty good progress, especially from December until now," said Derek McUmber, chief executive officer of Data Mountain Solutions Inc., a subcontractor to the General Services Administration, which supports agencies in implementing DNSSEC. About a third of federal agencies now have digitally signed their dot.gov sub-domains, he said, up from only 20% six months ago.
Building your own DNSSEC infrastructure
One example of success is the Federal Aviation Administration, a large agency whose aging network suffered from sprawl across many locations--a common impediment to deploying DNSSEC. "We spent two or three months just tracking down where all the DNS servers were and what was in them," said McUmber. "It took a while to get control of the architecture because it was old equipment and they hadn't looked at it in years."
Once that work was completed, FAA officials installed Data Mountain's SecureMepis, a Federal Information and Security Management Act-compliant Linux operating system, on their DNS servers and by last March, FAA had improved DNS security.
"They're using our offline signing application and deploying to SecureMepis," McUmber said. "We monitor DNS queries on their servers and if we notice validation errors or any other problems, we let them know so they can fix it."
As FAA's experience demonstrates, vendors have stepped up to take the complexity out of DNSSEC and make the deployment process more fluid. The National Institute of Standards and Technology has "done a lot to promote what vendors are out there and how they can help simplify DNSSEC engagement because doing it on your own has proven very difficult," Miskov said.
Managed services for DNS security: DNSSEC fast track
FAA's blend of outsourcing and insourcing to get the job done is one approach to meeting the government's DNSSEC requirement. Other basic deployment models include simply buying DNSSEC as managed service, purchasing DNSSEC software to automate the process or, for agencies that have the technical expertise, doing it completely in-house.
The fastest way for agencies to catch up is to go with DNSSEC as managed service, generally paying a monthly fee per domain to the vendor. "All you do is tell us the domain and we'll take care of it from there," McUmber said.
Agencies that decide to purchase on DNSSEC as a managed service should look for vendors that guarantee 100 percent uptime, sources said. Other factors to consider are customer support (can you call your vendor on weekends or late at night?) and whether service providers have the capacity to add bandwidth to handle the increased traffic incurred by DNSSEC.