Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Summary

 

Internet Domain Name System (DNS)

The Domain Name System (DNS) is the ubiquitous naming infrastructure for the global Internet.  The DNS provides a distributed worldwide directory services for translating names to network addresses, services, and policy information.  Today complex network services such as load balancing and distributed content distribution are based upon DNS technology.

Description

HAD Project Logo

The objectives of NIST’s High Assurance Domains (HAD) project are to design, standardize and foster wide scale adoption of technologies to improve the security, robustness and privacy of the Internet’s Domain Name System.  A second dimension of the NIST’s effort is to explore ways to leverage a trustworthy global naming service to address other issues in Internet security and scalable trust infrastructures.

Major Accomplishments

  • 2017 – NIST, in collaboration with the NCCoE, develops and issues guidance on DNS Based Electronic Mail Security guidance.
  • 2017 – NIST develops and issues Trustworthy Email guidance document (NIST SP-800-177r1).
  • 2016 – NIST develops and deploys online test systems for DANE and DMARC enabled email technologies.
  • 2013 – NIST issues revised Secure DNS Deployment Guide (NIST SP-800-81r1)
    DoC Gold Medal
  • 2009 – NIST, in collaboration with NTIA develops requirements for DNSSEC deployment at the root of global DNS deploys DNSSEC.  DNS root DNSSEC signed for the first time.  NTIA and HAD project team awarded DoC Gold Medal .
  • 2009 – NIST deployment guidance and test tools enable  .gov to be the first GTLD to operationally deploy DNSSEC.
  • 2009 - NIST works with GSA and OMB to ensure the safety of initial .gov DNSSEC deployment.   HAD project team awarded DoC Gold Medal .
  • 2008 – NIST issues first Secure DNS Deployment Guide (NIST SP-800-81).
  • 2006 – NIST develops and deploys first DNSSEC zone integrity test tool to assist early adopters.
  • 2005 – NIST coauthors set of basic IETF DNSSEC RFCs.

For further details on NIST accomplishments, contributions and impact, see Associated Products .

The goal of the HAD project is to design, standardize and help deploy new DNS security technologies to aid in building trust in online communications.    NIST’s HAD project team works with the industry, the Internet Engineering Task Force and key user groups (e.g., the USG, the financial services sector) to define, evaluate and foster deployment of these new network security technologies necessary to enable trustworthy communications.  More forward-looking research in the HAD project examines approaches to leverage secure DNS services to build trust infrastructures for challenging new domains, such as those posed by the Internet of Things.

Fostering change in global infrastructure is a long and difficult process even after new commercial products and services are available.  Post standardization activity in the HAD project includes the development of detailed deployment guidance and best common practice guides from pilot deployments and developing test and measurement tools to aid both the product development community and network administrators working through the issues of early adoption and deployment.  Some specific technologies being considered as part of the HAD project include:

DNS Security (DNSSEC) and Privacy

The Domain Name System Security Extensions (DNSSEC) are a set of new DNS Resource Records (RRs) to add digital signatures over DNS data.  These digital signatures add data authentication and integrity protection to DNS data.  Trust with DNSSEC is built upon the existing DNS hierarchy, with parent zones (i.e. com, gov, etc.) encoding the security status of child zones (i.e. nist.gov).  Emerging technologies such as DNS-based Authentication of Named Entities (DANE) leverages DNSSEC to enable the Domain Name System to be used as a ubiquitous, scoped key management and certificate infrastructure.

Trustworthy EMail

Email is still one of the primary means of communication on the Internet. However, email is inherently insecure, and users are taught to mistrust all email from (supposedly) trusted sources.  Several methods to add security (i.e. authentication, confidentiality) have been proposed but few have gained wide acceptance.  Some of these methods rely on the DNS to publish key material or policy information.  With DNSSEC, these methods become trustworthy.  More importantly, with DANE the DNS acts as a trust infrastructure that enables opportunistic encryption between mail systems with no previous knowledge of each. 

 

DANE MTA TLS Diagram

Product

Reference

NIST Publication

Rose S., Borchert O., Mitchell S., Connelly S., Zero Trust Architecture, National Institute of Standards and Technology Special Publication (SP) 800-207, September 2019.

Software Release

Rose S., HAD Email Monitor, None, March 2019.

Software Release

Rose S., HAD-dns-monitor, None, March 2019.

NIST Publication

Chandramouli R., Nightingale J., Garfinkle S., Rose S., NIST SP 800-177r1 Trustwothy Email, NIST Special Publication 800-177r1, February 2019.

Conference Publication

Wang Z., Understanding the Performance and Challenges of DNS Query Name Minimization, 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, August 2018.

Journal Publication

Wang Z., Deep Learning-Based Intrusion Detection with Adversaries, IEEE Access, Volume 6., July 2018.

Journal Publication

Wang Z., Rose S., Energy-aware DNS Allocation, Sustainable Computing: Informatics and Systems, Vol 19 (Sept 2018), July 2018.

NIST Publication

Rose S., Feldman L., Witte G., Improving the Trustworthiness of E-Mail, and Beyond!, ITL Bulletin for April 2018, April 2018.

Audio

Karry S., Rose S., BAN047 Biometric Authentication News, Biometric Authentication News podcast, episode 047., February 2018.

Conference Publication

Wang Z., Yu S., Rose S., An On-Demand Defense Scheme Against DNS Cache Poisoning Attacks, EAI Endorsed Transactions on Security and Safety, October 2017.

Presentation

Rose S., DNSSEC Operations in the .gov TLD, DNS-OARC 27, San Jose CA, 9/28-30 2017, September 2017.

NIST Publication

Rose S., Feldman L., Witte G., Updating the Keys for DNS Security, ITL Bulletin, September 2017.

NIST Publication

Rose S., Waltermire K., Jha S., Irrechukwu C., Barker W., NIST Special Publication 1800-6: Domain Name System Based Electronic Mail Security, NIST Special Publication 1800-6, September 2017.

Online System

Rose S., RollReady Website, Webpage, September 2017.

Journal Publication

Wang Z., Huang J., Rose S., Evolution and Challenges of DNS-Based CDNs, Digital Communications and Networks, July 2017.

Online System

Rose S., HAD Email Test Tool, Web tool, May 2017.

Presentation

Barker W., Rose S., NIST SP 1800-6: Domain Name System Based Email Security, Messaging, Malware, Mobile Anti-Abuse Working Group 39th Meeting, February 2017.

Conference Publication

Gersch J., Massey D., Rose S., The Emergence of DANE Trusted Email for Supply Chain Management, Hawaii International Conference on System Sciences HICSS-50, January 2017.

NIST Publication

Rose S., Feldman L., Witte G., Making Email Trustworthy, ITL Bulletin, October 2016.

Service Deployed

Rose S., Nightingale S., HAD Email Test Tool, https://email-test.had.dnsops.gov/, August 2016.

Service Deployed

Rose S., High Assurance Domain Monitor, https://monitor.dnsops.gov/, August 2016.

Service Deployed

Rose S., Garfinkle S., NIST DANE Test Tool, https://dane-test.had.dnsops.gov/, May 2016.

Software Release

Rose S., HAD TLSA Toolbox, Perl Scripts, December 2015.

NIST Publication

Rose S., Chandramouli R., NIST Special Publication 800-81-2 Secure Domain Name System (DNS) Deployment Guide, National Institute for Standards and Technology Special Publication 800-81 Revision 2, September 2013.

Conference Publication

Rose S., DNSSEC Deployment in .gov: Progress and Lessons Learned, 26th Large Installation System Administration Conference (LISA 2012), pg 223-228, December 2012.

Standards Specification

Rose S., DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates, Internet Engineering Task Force Request for Comments 6725, August 2012.

Standards Specification

Rose S., Wijngaards W., DNAME Redirection in the DNS, Internet Engineering Task Force Request for Comments 6672, June 2012.

White Paper

Rose S., Polk T., Montgomery D., al e., Testing and Implementation Requirements for the Initial Deployment of DNSSEC in the Authoritative Root Zone, NTIA and NIST developed requirements specification, October 2009.

Journal Publication

Rose S., Chandramouli R., Open Issues in Secure DNS Deployment, IEEE Security & Privacy, Volume: 7, Issue: 5. Sept.-Oct. 2009., October 2009.

Conference Publication

Rose S., Chandramouli R., Nakassis A., Information Leakage Through the Domain Name System, Conference For Homeland Security, 2009. CATCH '09. Cybersecurity Applications & Technology, March 2009.

Conference Publication

Rose S., Chandramouli R., An Integrity Verification Scheme for DNS Zone File based on Security Impact Analysis, Computer Security Applications Conference, 21st Annual, July 2006.

Journal Publication

Rose S., Chandramouli R., Challenges in Securing the Domain Name System, IEEE Security & Privacy. Volume: 4, Issue: 1. Jan.-Feb. 2006, February 2006.

Conference Publication

Rose S., Chandramouli R., Integrity Checking of DNS Zone File Data Using XSLT, Computer Security Applications Conference, 21st Annual, July 2006, July 2005.

Standards Specification

Rose S., Austein R., Arends R., Massey D., Larson M., Protocol Modifications for the DNS Security Extensions RFC 4035, Internet Engineering Task Force Request for Comments 4035, March 2005.

Standards Specification

Rose S., Massey D., Arends R., Austein R., Larson M., Resource Records for the DNS Security Extensions, RFC 4034, Internet Engineering Task Force Request for Comments 4034, March 2005.

Standards Specification

Rose S., Massey D., Austein R., Arends R., Larson M., DNS Security Introduction and Requirements, RFC 4033, Internet Engineering Task Force Request for Comments 4033, March 2005.

Standards Specification

Rose S., Massey D., Limiting the Scope of the KEY Resource Record (RR), Internet Engineering Task Force Request for Comments 3445, December 2002.

 

Created August 14, 2016, Updated June 11, 2020