The .GOV TLD is now an active DNSSEC signed zone. All .GOV delegation DNSSEC information added to Government Agency's Domain delegation records will be considered production and signed by the .GOV TLD. If you are still in the testing phase of
implementing DNSSEC DO NOT upload key information into the www.dotgov.gov DNSSEC system. Uploading test data in to the production DNSSEC system may cause validation errors that could affect users accessing your web site. If you are testing,
please follow the .GOV DNSSEC Testing links to learn how to safely test, and practice signing your .GOV Domain.
****************************************
For DNSSEC validation, the latest .gov public key is available 'here' and should be used as the published trust anchor for .gov.
Table of Contents
General Information
Process for implementing DNSSEC for your .GOV Domain
How to Sign your Domain
How to roll over your domain
How to Unsign your Domain
How to move from NSEC to NSEC3
Upgrading your Windows Server for DNSSEC
DNSSEC FAQ’s
General Information:
Welcome the DNSSEC support section of the www.dotgov.gov system. In support of the Office of Management and Budget (OMB) mandate issued in August 2008 dealing with the deployment of the DNS Security Extensions (DNSSEC) in the .gov domain, (Link to the memo M-08-23) the .GOV support team has created this section of the www.dotgov.gov website to provide some guidance in implementing DNSSEC. Federal agencies that have a .gov delegation have a DNSSEC deployment deadline of December 2009.
DNS Security Extensions (DNSSEC) is a specification of a set of new extensions to the DNS, through the definition of additional DNS Resource Records, which can be used by DNS clients to validate the authenticity and data integrity of the DNS response and authenticated denial of existence.
This protects the DNS client from certain attacks, such as DNS cache poisoning and re-direction. The protection mechanisms used in DNSSEC are based on asymmetric key digital signatures.
DNSSEC enables the client, when requesting a name resolution by DNS, to decide if the returned answer is from a valid source and that the information has not been altered on its way back (data integrity and authentication).
The .gov TLD has completed the transition as the first step of a Federal Government transition to DNSSEC. The OMB has required all Federal Agencies to sign their .gov domains by December, 2009. State, Native Sovereign Nation, and Local government .gov domains may also participate by signing their zones with DNSSEC but are not required to sign by the OMB mandate.
Configure name server to turn on DNSSEC processing (if required) more info
Now that the zone is signed:
Log on to the secure web interface: http://www.dotgov.gov/
Upload the public portion of the Key Signing Key (KSK) that has both the Zone flag and the SEP flag set.
Additional Resources for DNSSEC Deployment
There are several web sites with additional resources, including links to tools and testbeds, to help DNS administrators deploy DNSSEC. Some of these sites are not operated or sponsored by the US Federal Government so other government specific configuration policies may override examples given by these sites.
Implementing DNSEC on Windows Server 2008 R2 and Windows 7 operating systems:
Windows DNS – This guide provides an overview of Domain Name System (DNS) Security Extensions (DNSSEC) and information about how to deploy DNSSEC on the Windows Server 2008 R2 and Windows 7 operating systems. DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified by the Internet Engineering Task Force (IETF) in RFCs 4033, 4034, and 4035, with additional RFCs providing supporting information.