When you file your taxes online, you want to be sure that the Web site you visit -- www.irs.gov -- is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency.
That's because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet's DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites.
DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
With DNSSEC deployed, federal Web sites "are less prone to be hacked into, and it means they can offer their services with greater assurances to the public,'' says Leslie Daigle, Chief Internet Technology Officer for the Internet Society. "DNSSEC means more confidence in government online services.''
The U.S.'s government DNSSEC mandate is "significant,'' says Olaf Kolkman, a DNSSEC expert and director of NLnet Labs, a nonprofit R&D foundation in the Netherlands. "First, the tool developers will jump in because there is the U.S. government as a market....Second, there is suddenly a significant infrastructure to validate against.''
The White House DNSSEC mandate comes just weeks after the July disclosure of one of the most serious DNS bugs ever found. The Kaminsky bug -- named after security researcher Dan Kaminsky who discovered it -- allows for cache poisoning attacks, where a hacker redirects traffic from a legitimate Web site to a fake Web one without the user knowing.
White House officials said their DNSSEC mandate has been in the works since February 2003, when the Bush Administration released its National Strategy to Secure Cyberspace. The cybersecurity strategy, which was prompted by the Sept. 11, 2001, terrorist attacks, included the goal of securing the DNS.
Under a separate, but related, cybersecurity program called the Trusted Internet Connection initiative, the U.S. government is reducing the number of external Internet connections it operates from more than 8,000 to less than 100.
The DNSSEC mandate "was issued as a consequence of agencies having completed the initial consolidation of external network connectivity [through the Trusted Internet Connection initiative],'' said Karen Evans, administrator for the Office of E-Government and Information Technology at the Office of Management and Budget (OMB), in a statement. "The Kaminsky DNS bug was not a factor.''
DNS hardware and software vendors that are scrambling to add DNSSEC capabilities to their products predict the one-two punch of the Kaminsky bug followed by the White House mandate will drive DNSSEC deployment across the Internet.
"The timing couldn't be better right now, with Dan Kaminsky's vulnerability and the huge spotlight that focused on DNS security,'' says Mark Beckett, vice president of marketing for Secure64, a DNS vendor that began shipping an automated system for deploying DNSSEC in September. "Even though we have a patch out there for the Kaminsky bug...the only long-term solution to this problem is DNSSEC.''
The OMB mandate is "significant, but it's the tip of the iceberg,'' says Rodney Joffe, senior vice president and senior technologist for NeuStar, which sells the UltraDNS managed services suite and operates several top-level domains (TLDs) including .us and .biz. "All the other TLDs are now scrambling to work on DNSSEC. It's a sea change. There is no question that 2009 will be the year of DNSSEC.''