White House Mandates DNSSEC
The OMB issued a mandate in August that requires all federal agencies to support DNSSEC.
The memo states that .gov must be cryptographically signed at the top level by January 2009, and that all subdomains under .gov, such as www.irs.gov, must be signed by December 2009.
While the memo focuses on the .gov domain, the U.S. Defense Information Systems Agency says it intends to meet OMB's DNSSEC requirements on the .mil domain, too.
OMB is working with agencies to finalize their plans for deploying DNSSEC on their domains and subdomains, and these plans are expected to be finalized by mid-October.
"The federal government has been working with many organizations regarding DNSSEC and is preparing for deployment,'' Evans says. "One of the resources available, the Secure Naming Infrastructure Pilot (SNIP), is a testbed available to all government agencies so they can test their DNSSEC operations prior to deployment.''
To meet the mandate, federal agencies must upgrade their DNS servers to support the new protocol, buy network management tools to support DNSSEC, and provide training to their network management staff.
"The real impact is that you are changing the way the DNS is managed within the .gov domain,'' says Scott Rose, a computer science with the National Institute for Standards and Technology (NIST) Information Technology Laboratory. "The largest cost in DNSSEC deployment is setting up procedures and software for key management.''
Agencies will pay for DNSSEC out of their existing IT infrastructure budgets, Evans says.
"People who want to enable their domain names, say those of their Web sites, to be validated with DNSSEC have to do some investing. They have to update their infrastructure, and they have to go through a learning curve,'' says Kolkman, who called the OMB deadline of December 2009 "ambitious.''
"We think it's doable,'' Rose says of the .gov DNSSEC deadline. "We think it sends a strong signal that the U.S. government is committed to DNSSEC and to improving Internet security within the .gov domain.''
By rolling out DNSSEC on .gov, the federal government is doing what it can to improve the security of the communications it has over the Internet with citizens and contractors.
The U.S. government is "standing up and saying that for all the right reasons, DNSSEC is the path to pursue,'' Daigle says. "It's a good move because it's proactive. They're trying to address the security of their DNS resources before there is the kind of critical security disaster that many people have posited is needed before DNSSEC would be deployed.''
Experts say the OMB mandate may encourage ISPs to support DNSSEC, too, as their customers are heavy users of .gov Web sites.
"By the end of the year, a large number of ISPs will all have DNSSEC deployed,'' Joffe predicts. "There will no longer be an excuse for ISPs not to implement DNSSEC knowing they have customers that go to government Web sites.''
The U.S. federal government will be among the first organizations in the world to deploy security enhancements to the top-level domain it operates, which is .gov.
Countries that have deployed DNSSEC in their top-level domains include Sweden, Puerto Rico, Bulgaria and Brazil.
DNS vendors hope the federal DNSSEC mandate will lead to broader adoption of the standard across the Internet.
"We've seen a fair amount of interest in DNSSEC outside the U.S....but we haven't had a whole lot of momentum inside the U.S.,'' says Cricket Liu, vice president of architecture at InfoBlox. "My hope is that this is the beginning of getting the ball rolling in the U.S.''