Feds Tighten Security on .gov
What About the Root and .com?
While significant, the OMB mandate is missing a few key components that are necessary to drive DNSSEC deployment across the Internet.
First, the OMB memo says nothing about when the Internet's root servers will support DNSSEC.
Second, the memo doesn't address whether the U.S. government will require VeriSign, which operates the popular .com and .net top-level domains, to support DNSSEC.
The National Telecommunications and Information Administration (NTIA), the arm of the U.S. government that oversees the Internet's DNS infrastructure, has not set a deadline for DNSSEC deployment for the root servers, .com or .net.
"NTIA recognizes the potential benefits of a DNSSEC signed root zone file and is actively examining various implementation models in coordination with other U.S. government agencies as well as all the other relevant stakeholders, including [The Internet Corporation for Assigned Names and Numbers] and VeriSign, with whom the Department has existing relevant legal relationships,'' according to an NTIA statement.
NTIA's statement said the agency will not take any action that would affect the operational stability or efficiency of the DNS.
"A DNSSEC signed root zone would represent one of the most significant changes to the DNS infrastructure since it was created; therefore any changes cannot be taken lightly considering that the Internet DNS is a global infrastructure on which the global economy relies,'' the statement said.
VeriSign has been running DNSSEC pilot projects for several years, and it offers free DNSSEC tools on its Web site for developers.
"The testbed is going well,'' says Ken Silva, CTO for VeriSign. "We've gathered a lot of data ....This is all part of the process to be ready if and when the full Internet is ready to deploy DNSSEC.''
VeriSign hasn't committed to supporting DNSSEC in .com and .net. As of June 2008, .com and .net supported 87.3 million domain names, a figure that is up 20% from the previous year, according to VeriSign.
Silva says .com and .net will not be upgraded with DNSSEC until after the root.
"This is not something that is going to happen overnight,'' says Silva, who predicts it will be another three years until the root servers support DNSSEC. "For full DNSSEC deployment Internet-wide, you could be talking decades.''
Experts say full-scale deployment of DNSSEC won't happen until the root., .com and .net are authenticated with digital signatures.
"Having the root signed is fairly important,'' Kolkman says. "Obviously, .com is the 300-pound gorilla in the room. If .com were signed, that would pull a lot of people into DNSSEC, but having the root signed gives a more global signal.''
Internet engineers developed DNSSEC in 1997, but the technology hasn't been widely deployed because it suffers from the classic chicken-and-egg dilemma.
DNSSEC doesn't protect against spoofing attacks unless it's widely deployed across the Internet's DNS infrastructure. Web site operators don't benefit much from DNSSEC unless it's deployed at the top-level domain. The top-level domains haven't supported DNSSEC because there hasn't been demand from Web site operators.
With the OMB mandate, it appears the egg is cracking. Other top-level domains interested in rolling out DNSSEC include the Pubic Interest Registry's .org. http://blog.internetgovernance.org/blog/_archives/2008/4/25/3659794.html and Poland's country code, .pl
One reason DNSSEC has been slow to catch on is that it is difficult to deploy. Network managers will need tools that help them generate and store cryptographic keys in a secure manner, plus they will have to update those keys on a regular basis in order to support DNSSEC.
"It has been a complicated and time-consuming exercise for people to deploy DNSSEC,'' Beckett says. That's one reason Secure64 received a US$1 million grant from the Department of Homeland Security earlier this year to develop an automated DNSSEC signing solution that became the just-released Secure64 DNS Signer product.
"DHS wanted to prime the pump to get commercial products out there to remove that complexity and to make it possibility to deploy DNSSEC in a matter of days or weeks, rather than the months and months it might take them today,'' Beckett adds.
OMB says enough commercial DNSSEC products are available to warrant deployment across .gov.
"The U.S. enjoys a robust and dynamic commercial marketplace that will continue to meet our needs,'' Evans says. "The Department of Homeland Security Science and Technology Directorate has been leading the research and development associated with this initiative. The National Institute for Standards and Technology is responsible for developing DNSSEC standards, and the General Services Administration is ensuring service-based solutions are available.''
DNSSEC experts are encouraging corporate network managers to view the federal mandate as a sign that DNSSEC is real.
"What I think you should take away from this as corporate IT managers is that DNSSEC is coming. DNNSSEC is real, and it's out of the experimental stage,'' Daigle says. "It's OK to buy products and equipment to support it.''
Network managers also should take a good look at DNSSEC because of the Kaminsky bug, experts say. This is especially true of industries such as banking and e-commerce that battle phishing attacks.
The Kaminsky bug "is a verifiable and credible business case for actually deploying DNSSEC, not just in the government but in private industry,'' Joffe says. "The only solution we know of that is 100% correct in solving the problem of DNS cache poisoning is DNSSEC.''