News regarding DNSSEC deployment

Sue Graves Sue_Graves at isc.org
Thu Sep 11 18:26:14 UTC 2008 

Everyone,

On August 22, the US federal Office of Management and Budget (OMB) 
issued a memo to US federal government agencies, announcing that the 
.gov top-level domain would be DNSSEC-signed by the end of 2008 and 
directing agencies with domains under .gov to implement DNSSEC before 
the end of 2009.

The memo has generated significant attention and ISC has been
receiving questions about what it means to us, our customers, and DNS
operators in general.

The full text of the memo can be found at:
http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf

Document referred to in the memo:
http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf
"Recommended Security Controls for Federal Information Systems"

The memo only directly affects operators and users of domains
under .gov. There is no requirement for use of DNSSEC in any of the
commercial TLDs, like .com, net, or .org.

As with recent announcements that operators of other TLDs (such
as .se and .org) are signing their zones with DNSSEC, the memo is a
warning that DNSSEC can no longer be ignored and organizations should
be investigating and planning to implement DNSSEC as an important
part of improving DNS security.

Under the specific plans for .gov, the .gov zone will be signed in
production by the end of 2008. The OMB memo requires that operators of
subdomains for .gov have to:
   * have an initial plan for signing their zones by Sept. 5, 2009
   * have a final plan after discussion with an OMB review group by Oct. 24.
   * sign their .gov subdomains in production by Dec. 2009
   * include in the plan:
       * their .gov subdomains
       * how their DNS is structured and managed (in-house, outsource, etc.)
       * how they will provision DNSSEC

An additional consequence of this step, besides making DNSSEC more
prominent, will undoubtedly be to increase available experience with
DNSSEC, allowing other operators and users to draw on it as they move
forward with their own DNSSEC deployments.

ISC has been a leader in advancing the technical standards and
practices promoting DNSSEC, and provides several kinds of aid
towards DNSSEC deployment for the Internet.  ISC first implemented
DNSSEC in BIND version 9.3, and has been using BIND with DNSSEC
in ISC deployed services since 2005.  ISC also provides hands-on 
training for interested operators about how to use it as part of the
Advanced DNS Topics training course offered by ISC.  Additional
information can be found on our website at:

* DNSSEC in 6 Minutes presentation
      http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
* DNSSEC Introduction and Resources
      http://www.isc.org/sw/bind/docs/dnssec.html

ISC believes that DNSSEC is the only viable way to fully protect DNS
data from cache poisoning and other falsification of DNS data between
you and your users.  Stay tuned for more information on how ISC can
assist your organization in deploying DNSSEC for the benefit of your
users.

More information about the bind-announce mailing list