Are You Ready for DNSSEC Deployment?

Untitled Document

It's no surprise that the U.S. government's reliance on the Internet to disseminate and provide access to information has significantly increased over the years. While the use of technology has grown, so have the risks associated with potential unauthorized use, compromise and loss of the .gov domain space.

After a major vulnerability in the Domain Name System (DNS) was discovered last summer, the Office of Management and Budget responded by issuing a mandate for deploying Domain Name System Security Extensions (DNSSEC), the recently defined security standard, to all federal systems by December 2009.

DNS is a core Internet service that translates human-friendly computer names (such as into IP addresses. While it has always been known that there have been flaws in the DNS system, it wasn't until security researcher Dan Kaminsky discovered a significant attack on the domain-name system that the U.S. government committed to deploying DNSSEC. By migrating from DNS to DNSSEC, agencies would be able to ensure the integrity of Internet names and addresses.

DNSSEC is a secure version of DNS that uses digital signatures and public-key encryption that provides assurance that domain names are being mapped to the correct IP address. While all federal systems must comply by the end of the year, deploying DNSSEC is difficult and requires hardware and software components from multiple vendors. It also creates new operational duties related to key generation, zone file signing, and key management. Although organizations are expected to comply and meet the fast-approaching deadline, few have the specialized skills and technical expertise required for a successful migration.

This article examines the operational and administrative requirements organizations need to consider as they migrate from a traditional DNS infrastructure to one based on DNS Security Extensions (DNSSEC).

DNSSEC provides security in internet communications

It has always been possible for criminals to use the DNS to masquerade as trustworthy online entities using a technique known as DNS cache poisoning. The Kaminsky exploit increases the danger of cache poisoning attacks by making them easier to launch and almost impossible to detect.

Faced with the threat of large-scale disruption, identity theft and fraud, DNSSEC has become widely recognized as not only the solution to such forms of attack, but a way to provide additional security-in-depth for the Internet. In addition, deployment of DNSSEC will enable new services and security applications as a result of validated and authenticated data from the DNS.

Because DNSSEC deployments are relatively new, there are few operational DNSSEC signed zones worldwide and a general lack of technical expertise, making the migration difficult. DNSSEC deployment may require limited effort, or it may require large-scale changes in the maintenance of DNS zones and servers. The specifics of the changes required depend on the current hardware, software, security requirements, traffic load, and zone management processes that apply to the agency.

Within each agency, authoritative server configuration, zone file structure, and server interactions must be mapped clearly. DNS software on authoritative and recursive name servers may need to be upgraded to new versions that support DNSSEC, and DNSSEC must be enabled and configured correctly. To ensure proper configuration and eliminate points of failure, all network infrastructure must be tested to verify that it supports DNSSEC.

As agencies become increasingly reliant on digital communications, the importance of a robust security system becomes apparent in addressing concerns of privacy and security on the Internet. In addition to having the technical expertise required for implementation, it is also important to consider the risks associated with identity, integrity, privacy, authentication and access control.

Keeping everything under lock and key

DNSSEC uses public key cryptography -- the science of analyzing and deciphering codes -- to digitally sign DNS messages and places new computational loads on servers that sign DNS zones. These digital signatures guarantee the validity of response to queries because a digitally signed version makes it impossible for cyber crooks to masquerade as another entity.

In public key cryptography, a user has a pair of cryptographic keys -- a public key and a private key. The private key is kept secret, while the public key may be distributed. A message signed with a sender's private key can be verified by anyone who has access to the sender's public key, thereby proving that the sender had access to the private key (and therefore is the person associated with the public key used).

DNSSEC digitally signs DNS responses using the domain owner's private key. However, without a HSM, that private key could be easily found, and if the private key ever falls into the hands of a fraudster, then security is completely compromised.

When DNSSEC is fully deployed, there is a key associated with every zone of the DNS hierarchy: a key for the root zone, a key for each top-level domain (e.g. .com and .org) and a key for each enterprise level.

HSMs are a critical component of any encryption-based security solution because they safeguard cryptographic keys and protect applications, transactions, and information assets. In DNSSEC, HSMs are used to generate, store and manage the cryptographic keys that sign DNS records and zones.

The whole point of hardware security modules is that they keep private keys private and ensure information isn't vulnerable to misuse or theft. A HSM is a physical device that is designed to generate and store cryptographic keys. Without a HSM, cryptographic key material is easy to find by hackers with malicious intent. When stored on a general purpose computer, key material can be readily copied by a legitimate user or stolen by an attacker in a wide range of ways.

Agencies that deploy DNSSEC without integrating a hardware security module into their infrastructure open themselves up to risk of exposure. Relying on a general purpose computer to store cryptographic information is like putting an expensive padlock on the front door to your home but leaving the keys outside where someone can see them, copy them and walk away with them for use whenever they choose. As with cryptographic keys, once somebody has that key, they can impersonate and act with your authority without warning and without your knowledge. With a HSM in place, cryptographic and sensitive data material is protected from non-authorized use and potential adversaries.

However, not all HSMs are created equal. When evaluating HSMs, be sure to look for a solution that has received Level 4 certification in the Federal Information Processing Standards (FIPS) program, FIPS 140-2. FIPS validation ensures that a device meets the high level of physical security required when protecting private keys on a HSM. This includes tamper resistance, data security, physical security and access control.

Due to the silent nature of cyber crime, security breaches can go undetected for an extended period of time. With a physical HSM device protecting sensitive data and applications, agencies can prevent hackers from compromising the integrity of their information. By integrating a HSM with FIPS 140-2 Level 4 certification into DNSSEC deployment, agencies will have the security of strong encryption technology that offers the highest degree of protection to keep employees and citizens protected from fraudulent DNS responses that could be used for serious frauds or attacks.

Meeting the deadline

Partnering with a security consultant can help ensure federal agencies select the best validation level suited to their application and ease the process of deploying DNSSEC. Some of the issues around cryptography, security policy, key management, and operational procedure may be new to DNS administrators. Deploying DNSSEC in accordance with NIST (National Institute of Standards and Technology) guidelines and FISMA (Federal Information Security Management Act) reporting will be a significant undertaking. It will require effort analysis, planning and testing, and likely new hardware, software and processes to assure the mandated operational capability. A partner with experience in DNSSEC deployment can assist with auditing the current infrastructure and provide a plan for a successful migration.

Integrating hardware security modules as part of the DNSSEC deployment process is essential in generating, storing and guarding private keys and in providing the highest level of security possible. As agencies look to protect information and applications from DNS threats and meet the December deadline, cryptographic hardware solutions can protect the system and keep citizens and employees safe from cyber attacks.

About the Author

Author Fergal Murray is the director of Business Development for Somerset, N.J.-based AEP Networks, a company offering secure communications, networking and application access for government, enterprise and carriers. More information can be accessed at

More by Fergal Murray