When you type www.irs.gov—or the Web address of your bank or an e-commerce site—into your web browser, you want to be sure that no one is hijacking your request and sending you to a bogus look-alike page. You're relying on the integrity of the Internet's "phone book," the Domain Name System (DNS). Computer scientists at the National Institute of Standards and Technology (NIST) are playing a major role in making sure that what you type is what you get by providing standards, guidance and testing necessary to bolster the trustworthiness of the global DNS. A draft update of NIST's guidelines for DNS security is now available for public comment.
Most recently, NIST computer scientists provided technical assistance to the General Services Administration to meet the end-of-February deadline to secure the top-level .gov ("dot-gov") domain, the first major step of a new government-wide DNS security upgrade. NIST researchers develop the standards, specifications and operational procedures used by federal civilian agencies to safeguard their information systems. The Internet relies on the DNS system that converts the user-friendly names (www.nist.gov) into a unique Internet Protocol address (22.214.171.124) necessary to route data to its destination.
The DNS as currently deployed lacks the ability to authenticate the source or integrity of responses returned from the system, and as a result it is easy to spoof responses and redirect users to fake or look-alike destinations. NIST and others are working to add "steel doors and locks" to enhance DNS security. NIST computer scientists led the development of new Internet Engineering Task Force (IETF) standards to add digital signatures and associated key management procedures to DNS protocols. These additions, called DNSSEC, allow users to validate the authenticity and integrity of the data and will provide the basis for a new trust infrastructure for the DNS and protocols and systems that rely on it.
"We hope that the dot-gov deployment of DNSSEC will encourage rapid deployment in other sectors, including government contractors, trading partners and general e-commerce sites," said Scott Rose, one of the NIST computer researchers.
In addition to developing the standards and deployment protocol guidance for DNSSEC, NIST researchers have developed the Secure Naming Infrastructure Pilot (SNIP) distributed testbed (www.dnsops.gov) to assist agencies and vendors in experimenting with and evaluating specific DNSSEC solutions. NIST is a member of an industry-government DNSSEC-Deployment Initiative, coordinated by the Department of Homeland Security, to foster adoption and implementation of DNSSEC specifications across Internet domains.
The NIST team also has drafted updated recommendations for the "Secure Domain Name System (DNS) Deployment Guide" (NIST Special Publication 800-81 Rev 1), the key DNS security guidance document for civilian agencies, (Available on the Web at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf.)
This first revision of the guidance proposes stronger cryptographic algorithms and keys to provide more resilience against attack. The revised publication incorporates comments from the Internet Engineering Task Force that are to update best practices and checklists in the document. The latest version of the deployment guide includes cookbook configuration instructions for two commonly deployed DNS server implementations.
The public is invited to review the draft NIST SP-800-81 revision 1 guidelines and submit comments to SecureDNS@nist.gov before March 31, 2009.