Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Summary

Internet Domain Name System (DNS)
The Domain Name System (DNS) is the ubiquitous naming infrastructure for the global Internet.  The DNS provides a distributed worldwide directory services for translating names to network addresses, services, and policy information.  Today complex network services such as load balancing and distributed content distribution are based upon DNS technology.

Description

HAD Project Logo

The objectives of NIST’s High Assurance Domains (HAD) project are to design, standardize and foster wide scale adoption of technologies to improve the security, robustness and privacy of the Internet’s Domain Name System.  A second dimension of the NIST’s effort is to explore ways to leverage a trustworthy global naming service to address other issues in Internet security and scalable trust infrastructures.

Major Accomplishments

  • 2017 – NIST, in collaboration with the NCCoE, develops and issues guidance on DNS Based Electronic Mail Security guidance.
  • 2017 – NIST develops and issues Trustworthy Email guidance document (NIST SP-800-177r1).
  • 2016 – NIST develops and deploys online test systems for DANE and DMARC enabled email technologies.
  • 2013 – NIST issues revised Secure DNS Deployment Guide (NIST SP-800-81r1)
    DoC Gold Medal
  • 2009 – NIST, in collaboration with NTIA develops requirements for DNSSEC deployment at the root of global DNS deploys DNSSEC.  DNS root DNSSEC signed for the first time.  NTIA and HAD project team awarded DoC Gold Medal .
  • 2009 – NIST deployment guidance and test tools enable  .gov to be the first GTLD to operationally deploy DNSSEC.
  • 2009 - NIST works with GSA and OMB to ensure the safety of initial .gov DNSSEC deployment.   HAD project team awarded DoC Gold Medal .
  • 2008 – NIST issues first Secure DNS Deployment Guide (NIST SP-800-81).
  • 2006 – NIST develops and deploys first DNSSEC zone integrity test tool to assist early adopters.
  • 2005 – NIST coauthors set of basic IETF DNSSEC RFCs.

For further details on NIST accomplishments, contributions and impact, see Associated Products .

The goal of the HAD project is to design, standardize and help deploy new DNS security technologies to aid in building trust in online communications.    NIST’s HAD project team works with the industry, the Internet Engineering Task Force and key user groups (e.g., the USG, the financial services sector) to define, evaluate and foster deployment of these new network security technologies necessary to enable trustworthy communications.  More forward-looking research in the HAD project examines approaches to leverage secure DNS services to build trust infrastructures for challenging new domains, such as those posed by the Internet of Things.

Fostering change in global infrastructure is a long and difficult process even after new commercial products and services are available.  Post standardization activity in the HAD project includes the development of detailed deployment guidance and best common practice guides from pilot deployments and developing test and measurement tools to aid both the product development community and network administrators working through the issues of early adoption and deployment.  Some specific technologies being considered as part of the HAD project include:

DNS Security (DNSSEC) and Privacy

The Domain Name System Security Extensions (DNSSEC) are a set of new DNS Resource Records (RRs) to add digital signatures over DNS data.  These digital signatures add data authentication and integrity protection to DNS data.  Trust with DNSSEC is built upon the existing DNS hierarchy, with parent zones (i.e. com, gov, etc.) encoding the security status of child zones (i.e. nist.gov).  Emerging technologies such as DNS-based Authentication of Named Entities (DANE) leverages DNSSEC to enable the Domain Name System to be used as a ubiquitous, scoped key management and certificate infrastructure.

Trustworthy EMail

Email is still one of the primary means of communication on the Internet. However, email is inherently insecure, and users are taught to mistrust all email from (supposedly) trusted sources.  Several methods to add security (i.e. authentication, confidentiality) have been proposed but few have gained wide acceptance.  Some of these methods rely on the DNS to publish key material or policy information.  With DNSSEC, these methods become trustworthy.  More importantly, with DANE the DNS acts as a trust infrastructure that enables opportunistic encryption between mail systems with no previous knowledge of each. 

DANE MTA TLS Diagram

 

Created August 14, 2016, Updated October 12, 2018