Major Milestone Reached in Deployment of DNSSEC
On July 15, 2010 a major milestone was reached in the deployment of the Domain Name System Security Extensions (DNSSEC) on the Internet, when the root zone root zone was fully signed. The DHS S&T cybersecurity R&D program is a long-time major supporter of this important effort to secure the Internet naming infrastructure, having funded the DNSSEC Deployment Initiative DNSSEC Deployment Initiative for more than 6 years. See below for more information.
Domain Name System Security Extensions (DNSSEC)
The President’s National Strategy to Secure Cyberspace emphasizes the need to secure existing Internet infrastructure. The Domain Name System (DNS) is a crucial piece of Internet infrastructure that serves as the Internet’s phonebook; by translating human-readable host names into IP addresses. The security and continued functioning of the Internet will be greatly influenced by implementing a more secure, robust DNS. In recent years, the Internet community has developed a standard protocol known as Domain Name System Security Extensions (DNSSEC) to provide security for all DNS communications. The U.S. Department of Homeland Security (DHS) Science and Technology (S&T) Directorate, partnering with National Institute of Standards and Technology (NIST), has lead the DNSSEC Deployment Initiative, which works to encourage all sectors to voluntarily adopt security measures that will improve security of the Internet’s naming infrastructure as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors.
In 2006, NIST published the Secure Domain Name System Deployment Guide (NIST 800-81), which provides recommendations for securing DNS within an enterprise. This document provides extensive guidance on maintaining data integrity, performing source authentication, and guidelines for configuring DNS deployments to prevent denial-of-service attacks that exploit vulnerabilities in various DNS components. Through government coordination with the Department of Commerce, Department of Defense, General Services Administration, Office of Management and Budget, and other Federal agencies, the DNSSEC standard has been inserted into the Federal Information Systems Management Act process. As a result, government agencies will be required to deploy DNSSEC in the “.gov” domain. By example, the government can demonstrate what is required to secure the critical name function of the Internet infrastructure.
DNSSEC-aware applications, or applications that use DNSSEC, have been developed to support the deployment of the DNSSEC standard. This new class of software enables the deployment of DNSSEC into the Internet infrastructure. Software tools have also been developed to help network operators facilitate the deployment and ongoing operation of DNSSEC. As the standard is implemented, these tools will maintain the security of operations and ensure that end-user applications—such as web browsers and e-mail clients—are modified to be DNSSEC-aware. This will provide end-to-end security for Internet users and ensure the authenticity and integrity of the information their end systems receive.
The DNSSEC program is working with various agencies and communities, including international organizations, to develop, test, evaluate, deploy, and transition DNSSEC technology to the operational Internet. These technologies will provide increased security for the Internet infrastructure. DNSSEC will impact Internet operations
organizations, private industry, and the U.S. Government.
DHS S&T Cyber Security Receives National Cybersecurity Innovation Award
On October 11, 2011, the Cyber Security Division (CSD) of the DHS Science and Technology Directorate(S&T) received a National Cybersecurity Innovation Award at the Sans Institute’s Second Annual National Cybersecurity Innovation Conference for the Domain Name System Security Extensions (DNSSEC) project. DNSSEC technology protects the public by ensuring that websites visited are the real deal and not imposters. Phony websites aim to steal users’ log-in names, passwords, and money, and DNSSEC technology helps prevent such thefts by blocking bogus page elements and flagging pages whose DNS identity has been hijacked.
In the award category Building a Federal Cybersecurity Research Program that Results in Substantial Cyber Risk Reduction, S&T Cyber Security was recognized for its innovation in promoting “[r]esearch that pays off through a process that continually calls upon researchers to focus on work that can result in real products and real risk reduction.” Moreover, the award, presented by United States Cybersecurity Coordinator Howard Schmidt, noted that the CSD’s approach “has forced the R&D community to think beyond the theoretical to consider a more practical horizon.” S&T’s DNSSEC project is managed by Edward Rhyne.