Can .gov trust .com?

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Efforts to deploy DNS Security Extensions picking up steam, with all root zone servers and several Top-Level Domains, such as .gov, digitally signed. But until all domains are ready, DNSSEC is only creating island of trust.

The last of 13 servers in the Domain Name System’s authoritative root zone was digitally signed with the DNS Security Extensions May 5, paving the way for the publication this summer of the root trust anchor that will remove a major hurdle to the widespread deployment of DNSSEC.

“Since the beginning of the year, we have been incrementally rolling out DNSSEC in the root zone,” said Joe Waldron, director of product management at VeriSign Naming Services.

The DNS root zone, which contains the records needed to resolve the domain names used by people and applications to the numerical IP addresses used by routers and servers, is overseen by the Commerce Department’s National Telecommunications and Information Administration, and the files are managed by VeriSign. DNSSEC provides a layer of security on the Internet by using cryptographic digital signatures to authenticate responses to DNS queries. The effort by NTIA, VeriSign and the Internet Corporation for Assigned Names and Numbers to deploy DNSSEC in the root zone has been called the biggest structural improvement to the DNS in 20 years.

Related stories:

DNSSEC's early adopters provide test beds for others
How DNSSEC provides a baseline of Internet security
 The .org domain set to sign off on the largest DNSSEC implementation to date
Government implements DNSSEC on the .gov domain
How NIST put DNSSEC into play

The first of 13 authoritative root servers, the L Root run by ICANN – the servers are identified by the letters A through M – was signed in January. The J Root, run by VeriSign, was signed in May. You probably didn’t notice these milestones because during the transition, the NTIA has been creating a Deliberately Unvalidatable Root Zone (DURZ), which delivers signed responses not yet capable of being validated.

“One of the principles of DNS is that all root servers deliver the same information,” Waldron said. So a query response from any of the servers should be identical to a response from any other server. “You don’t want an inconsistent response,” with one server delivering a validated DNSSEC response and another server not.

“We are effectively testing the impact of a signed root zone on the system with all 13 root servers now serving the DURZ,” said NTIA press secretary Jessica Schafer. “Thus far, no harmful effects have been identified.”

If this state of affairs continues, “in the coming months, we expect to authorize ICANN to publish the root zone trust anchor and VeriSign to distribute a validatable signed root zone,” Schafer said. That event, now scheduled for July 1, will be a major milestone for DNSSEC. “Top-level domains (TLDs) will be able to take better advantage of DNSSEC by publishing their keys in the signed root zone. The combination of a signed root and signed TLDs will make it easier for operators to enable DNSSEC.”

The trust anchor is essential to making DNSSEC practical because the whole point is to use digital signatures from signed domains to ensure that DNS responses can be trusted. An individual signature is validated by following a chain of signatures to a key that provides the top level, or anchor, of trust. For a complete chain of trust, each domain and subdomain must be signed and validated, which is not yet the case.

Top Down

Some TLDs already have been signed. The .org TLD was signed in 2009 and has been testing DNSSEC with a select group of test domains. It is the largest generic TLD to be signed so far, with 7.5 million registered domains, and is scheduled to begin accepting general second-tier signed zones this year. The .gov TLD was signed in 2009 under a mandate, and .us, one of more than 200 top-level country codes, was signed in December 2009. But those domains are operating as islands of trust, and verifying digital signatures across domains is cumbersome.

“The stumbling block now is that there is not an effective solution in key management between signed zones,” said Branko Miskov, director of product management at BlueCat Networks, which sells DNS management tools. “There are a number of schemes for exchanging keys, but no real solution. The endpoint is all of the root zone will be signed.”

The imminent publication of the trust anchor is spurring more deployment of DNSSEC. The two largest TLDs, .net and .com, are expected to be signed in the fourth quarter of this year and the first quarter of next year, respectively. The .edu TLD has already been signed and has been acting as a test bed for DNSSEC deployment, but keys have not yet been published. Plans originally called for .edu to go live before now. But when plans were announced to finalize the root zone in July, publication of .edu keys was delayed until the summer, said Rodney Petersen, director of cybersecurity initiatives at Educause, registrar for .edu.

Signing the root zone has caused a quickening of DNSSEC deployment, said Steve Crocker, chief executive officer of Shinkuro, a research and development company hired by the Homeland Security Department to foster use of the technology.

“We are in the early days of deployment,” Crocker said. “We have some early adoption, and things are well on their way but still far away from the end point.”

The U.S. government has been the driving force and one of the early adopters of the development of commercial products for implementing and managing DNSSEC. But even the government has been lagging in deployment. The Office of Management and Budget mandated that the General Services Administration sign the .gov TLD by January 2009 and that agencies sign their subdomains one year later. GSA came pretty close, missing its deadline by only a month. But most agencies missed the January 2010 deadline, and five months later, only about a quarter of government domains have been signed.

“It’s hard to measure,” said Scott Rose, a computer scientist who is the DNSSEC lead at the National Institute of Standards and Technology. GSA, which manages the .gov TLD, considers the information sensitive, and detailed statistics are not available. But a compilation of domains by NIST showed that as of mid-May, only 259 out of 985 .gov domains had been signed. But the list also includes nonfederal domains within the .gov TLD, such as state and local governments that are not required to use DNSSEC.

Waiting for Results

So far, there has been little practical result from the government deployments because validation of the signatures has not yet been required. The DNSSEC deployment demonstrates the limits of government mandates, Rose said.

“There is a difference between making somebody do something and having them want to do it,” he said. “If you want to do it, you want to do it right. If you have to do it, you just want to get it done.”

But Miskov said interest is picking up among BlueCat’s federal customers, who have been enjoying what he said is an undocumented grace period.

“Most customers have already missed the deadline,” he said. “But we’re seeing more traction now than we were last year.” Those who last year did the bare minimum to prepare for DNSSEC are now “deploying in earnest. We have a healthy pipeline of customers.”

A primary reason for the slow deployment of DNSSEC is that, until now, DNS has been simple to run and did not require a lot of management. The addition of digital signatures and task of managing cryptographic keys place an administrative burden on network operators. However, the burden has lessened somewhat during the past two years as tools have appeared to automate the task of signing records and managing the expiration and rollover of signing keys.

“Within your own zone, it has become easy to manage,” Miskov said. “You can set up a zone in a matter of minutes with a few clicks.”

Tools for managing DNSSEC among zones are not as developed but are maturing, and they now run the gamut from hardware appliances and software to managed hosted services. But besides managing DNSSEC, there is the challenge of determining how other networking equipment handle the protocols. DNS packets for validated signatures are larger than those that do not use DNSSEC, and many devices are not used to dealing with them. The larger packets violate many firewall policies, so many DNSSEC packets will be blocked.

To help address those practical issues, NIST, Sparta and DHS have established the Secure Naming Infrastructure Pilot as a test domain. Operators can obtain a delegation within the SNIP domain at DNSops.gov to mirror their operational procedures, sign the new zone with DNSSEC and explore what else they need to do to maintain a digitally signed zone.

VeriSign also has established an interoperability lab to test networking equipment with DNSSEC. VeriSign provides the lab's staff and intends the lab to provide information about the performance of firewalls, load balancers and other equipment that will need to deal with the larger packets. It does not provide any certification, Waldron said.

Several large networking vendors, such as Cisco Systems and Juniper Networks are using the lab. “For the most part, we’ve had very good results,” Waldron said.

The focus on DNSSEC so far has been in core network infrastructures, and the technology has only lately begun moving to desktop applications. There are browser plug-ins for Firefox and some other browsers, and DNSSEC validation is built in to Microsoft’s new Windows 7 operating system.

“That is a double-edged sword,” NIST’s Rose said. A policy is set in the operating system about what domains you expect DNSSEC validation from. But if something under that domain has not been signed, the request comes back as unreachable. “It won’t tell you that DNSSEC failed. It’s a little too aggressive right now because it expects validation” that will not necessarily be available throughout a domain. Rose suggested that a better model would be to return a message that validation was not available and ask the user whether he or she wants to continue to the site.

Although more TLDs and subdomains are being signed, they only form islands of trust on the Internet. Until there is a complete chain of digital signatures that can be validated from a specific site to a root zone, bridging those islands will be a challenge. After all .gov is signed and using DNSSEC, for example, users within that TLD will be assured of the authentication of responses but not necessarily assured of responses coming from .com.

“The limiting factor is that not everyone is playing now,” Miskov said. “Until DNSSEC becomes ubiquitous and everyone is using it, it will take a lot of management to connect the islands of trust.”

Still, until all links are secured with DNS, Waldron said, “any secured link is an improvement.”

NEXT STORY: How DNSSEC provides a baseline of Internet security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.