The goal of the HAD project is to design, standardize and help deploy new DNS security technologies to aid in building trust in online communications. NIST’s HAD project team works with the industry, the Internet Engineering Task Force and key user groups (e.g., the USG, the financial services sector) to define, evaluate and foster deployment of these new network security technologies necessary to enable trustworthy communications. More forward-looking research in the HAD project examines approaches to leverage secure DNS services to build trust infrastructures for challenging new domains, such as those posed by the Internet of Things.
Fostering change in global infrastructure is a long and difficult process even after new commercial products and services are available. Post standardization activity in the HAD project includes the development of detailed deployment guidance and best common practice guides from pilot deployments and developing test and measurement tools to aid both the product development community and network administrators working through the issues of early adoption and deployment. Some specific technologies being considered as part of the HAD project include:
The Domain Name System Security Extensions (DNSSEC) are a set of new DNS Resource Records (RRs) to add digital signatures over DNS data. These digital signatures add data authentication and integrity protection to DNS data. Trust with DNSSEC is built upon the existing DNS hierarchy, with parent zones (i.e. com, gov, etc.) encoding the security status of child zones (i.e. nist.gov). Emerging technologies such as DNS-based Authentication of Named Entities (DANE) leverages DNSSEC to enable the Domain Name System to be used as a ubiquitous, scoped key management and certificate infrastructure.
Email is still one of the primary means of communication on the Internet. However, email is inherently insecure, and users are taught to mistrust all email from (supposedly) trusted sources. Several methods to add security (i.e. authentication, confidentiality) have been proposed but few have gained wide acceptance. Some of these methods rely on the DNS to publish key material or policy information. With DNSSEC, these methods become trustworthy. More importantly, with DANE the DNS acts as a trust infrastructure that enables opportunistic encryption between mail systems with no previous knowledge of each.