The objectives of the HAD project are to research and develop Domain Name System (DNS) technologies, DNSSec security protocols, IETF DANE technologies to leverage the DNS as a key discovery and management infrastructure, use of DANE and other DNSSEC enabled technologies, X.509/PKIX certificate technologies, TLS / SSL implementation, and SMIME / PGP email security protocols.
The High Assurance Domains (HAD) project builds upon NIST's previous efforts to design, standardize and deploy security extensions to the Domain Name System (DNS) by leveraging a secure naming infrastructure to devise scalable solutions for other Internet security issues.
- NIST SP 800-177 Trustworthy Email - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177.pdf
- NIST Email Authentication Tester - Test SPF/DKIM/DMARC - https://email-test.had.dnsops.gov/
- NIST DANE Tester - Test TLSA web/email, SMIMEA and OPENPGPKEY RRs - https://dane-test.had.dnsops.gov/
- NIST High Assurance Domains Deployment Monitor - https://monitor.dnsops.gov/
- RFC4033 - DNS Security Introduction and Requirements; S. Rose, et al; https://tools.ietf.org/html/rfc4033
- RFC4034 - Resource Records for the DNS Security Extensions; S. Rose, et al; https://tools.ietf.org/html/rfc4034
- RFC4035 - Protocol Modifications for the DNS Security Extensions; S. Rose, et al; https://tools.ietf.org/html/rfc4035
- RFC6672 - DNAME Redirection in the DNS; S. Rose, et al; https://tools.ietf.org/html/rfc6672
- RFC6725 - DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates; S. Rose, et al; https://tools.ietf.org/html/rfc6725
NIST SP 800-81-2 Secure Domain Name System Deployment Guide - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf
Additional Technical Details
The goal of the HAD project is to develop, test and help deploy new network security technologies to aid in building trust in online communications. There are recently developed network security technologies that make it possible to increase trust in Internet communications. Currently, many key Internet protocols lack security or have operational issues that limit their usefulness. The goal of the High Assurance Domain (HAD) project is to work with the tech industry and the financial services sector to refine, test and deploy these new network security technologies to aid in building trust between consumers and business (C2B), business to business (B2B) and consumer to government (C2B) communications.
However, simply "turning on" a new security feature is not enough. Enterprise administrators and operators need to understand what it means to have security and trust in a service such as email, web or even DNS. The HAD project will also look at producing guidance documentation focusing on services rather than the traditional view of servers and networks. Some specific technologies being considered as part of the HAD project include:
DNS Security (DNSSEC)
The Domain Name System Security Extensions (DNSSEC) are a set of new DNS Resource Records (RRs) to add digital signatures over DNS data. These digital signatures add data authentication and integrity protection to DNS data. Trust with DNSSEC is built upon the existing DNS hierarchy, with parent zones (i.e. com, gov, etc.) stating the security status of child zones (i.e. nist.gov). This would allow DNS to become a lightweight trust infrastructure that can be used to bootstrap trust in other Internet communications.
Email is still one of the primary means of communication on the Internet. However, email is inherently insecure and users are taught to mistrust all email from (supposedly) trusted sources. Several methods to add security (i.e. authentication, confidentiality) have been proposed but few have gained wide acceptance. Some of these methods rely on the DNS to publish key material or policy information. With DNSSEC, these methods become trustworthy. More importantly, the DNS acts as a trust infrastructure and allows parties with no previous knowledge of each other to build a level of trust in email communications.
The NIST's HAD project's goal is to help bring these new technologies together to allow an enterprise to create a secure domain from the ground up. The primary focus will be on developing prototype tools, guidance documents and testbeds to help foster deployment.
NIST Cybersecurity Practice Guide, Special Publication 1800-6: “Domain Name Systems-Based Electronic Mail Security”
Updating the Keys for DNS Security - ITL Bulletin September 2017
github: Great DANE Secure Email Tools.
NIST's prior work in the development of DNSSec technologies was supported in part by the Department of Homeland Security - Science and Technology Directorate - Cybersecurity Program.
Related NIST Projects
NCCoE - DNS-Based Secured Email Project.
SBIR Phase II Grant: Secure Email Agent Using the Domain Name System (DNS) as a Trust Infrastructure