Official website of the Department of Homeland Security
Domain Name System Security Extensions
The President’s National Strategy to Secure Cyberspace emphasizes the need to secure existing Internet infrastructure. The Domain Name System (DNS) is a crucial piece of Internet infrastructure that serves as the Internet’s phonebook; by translating human-readable host names into IP addresses. The security and continued functioning of the Internet will be greatly influenced by implementing a more secure, robust DNS. In recent years, the Internet community has developed a standard protocol known as Domain Name System Security Extensions (DNSSEC) to provide security for all DNS communications. The DHS S&T Directorate, partnering with National Institute of Standards and Technology (NIST), has lead the DNSSEC Deployment Initiative, which works to encourage all sectors to voluntarily adopt security measures that will improve security of the Internet’s naming infrastructure as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors.
Motivation
In 2006, NIST published the Secure Domain Name System Deployment Guide (NIST 800-81), which provides recommendations for securing DNS within an enterprise. This document provides extensive guidance on maintaining data integrity, performing source authentication, and configuring DNS deployments to prevent denial-of-service attacks that exploit vulnerabilities in various DNS components. Through government coordination with the Department of Commerce, Department of Defense, General Services Administration, Office of Management and Budget, and other federal agencies, the DNSSEC standard has been inserted into the Federal Information Systems Management Act process. As a result, government agencies will be required to deploy DNSSEC in the “.gov” domain. The government will set the example by demonstrating what is required to secure the critical name function of the Internet infrastructure.
Approach
DNSSEC-aware applications, or applications that use DNSSEC, have been developed to support the deployment of the DNSSEC standard into the Internet infrastructure. Software tools have also been developed to help network operators facilitate the deployment and ongoing operation of DNSSEC. As the standard is implemented, these tools will maintain the security of operations and ensure that end-user applications—such as web browsers and e-mail clients—are modified to be DNSSEC-aware. This will provide end-to-end security for Internet users and ensure the authenticity and integrity of the information their end systems receive.
The DNSSEC program is working with various agencies and communities, including international organizations, to develop, test, evaluate, deploy, and transition DNSSEC technology to the operational Internet. These technologies will provide increased security for the Internet infrastructure. DNSSEC will impact Internet operations organizations, private industry, and the U.S. government.
DNSSEC News
DHS S&T Cyber Security Division Receives National Cybersecurity Innovation Award
On October 11, 2011, S&T's Cyber Security Division (CSD) received a National Cybersecurity Innovation Award at the Sans Institute’s Second Annual National Cybersecurity Innovation Conference for the DNSSEC project. DNSSEC technology protects the public by ensuring that websites visited are the real deal and not imposters. Phony websites aim to steal users’ log-in names, passwords, and money, and DNSSEC technology helps prevent such thefts by blocking bogus page elements and flagging pages whose DNS identity has been hijacked.
In the award category Building a Federal Cybersecurity Research Program that Results in Substantial Cyber Risk Reduction, S&T's CSD was recognized for its innovation in promoting “[r]esearch that pays off through a process that continually calls upon researchers to focus on work that can result in real products and real risk reduction.” Moreover, the award, presented by United States Cybersecurity Coordinator Howard Schmidt, noted that the CSD approach “has forced the R&D community to think beyond the theoretical to consider a more practical horizon.” S&T’s DNSSEC project is managed by Edward Rhyne.
Major Milestone Reached in Deployment of DNSSEC
On July 15, 2010 a major milestone was reached in the deployment of the DNSSEC on the Internet, when the root zone was fully signed. The S&T Directorate is a long-time major supporter of this important effort to secure the Internet naming infrastructure, having funded the DNSSEC Deployment Initiative for more than 6 years.
DNNSEC Snapshot Article
Making Domain Names Safe and Reliable: Domain Name System Security Extensions
