Last week the Office of Management and Budget released memoranda M-08-23, titled Securing the Federal Government’s Domain Name System Infrastructure. The document states that all US government top level .gov domains will use DNSSEC starting in January 2009. This is in response to the DNS cache poisoning attack that Dan Kaminsky made public a few months ago.
New Policy
This memorandum addresses two important issues in following through with the existing policy and expanding its scope to address all USG information systems.A. The Federal Government will deploy DNSSEC to the top level .gov domain by January 2009. The top level .gov domain includes the registrar, registry, and DNS server operations. This policy requires that the top level .gov domain will be DNSSEC signed and processes to enable secure delegated sub-domains will be developed. Signing the to level .gov domain is a critical procedure necessary for broad deployment of DNSSEC, increases the utility of DNSSEC, and simplifies lower level deployment by agencies.
B. Your agency must now develop a plan of action and milestones for the deployment of DNSSEC to all applicable information systems. Appropriate DNSSEC capabilities must be deployed and operational by December 2009. The plan should follow recommendations in NIST Special Publication 800-81 “Secure Domain Name System (DNS) Deployment Guide,” and address the particular requirements described in NIST Special Publication 800-53r1 “Recommended Security Controls for Federal Information Systems.”
The plan should report your agency’s current level of compliance with the current DNSSEC requirements of NIST Special Publication 800-53r1, and document a plan of action and milestones that assume the scope of the requirement to operate DNSSEC signed zones (SC-20) will be expanded to cover all FISMA information systems (including low impact systems) in revision 3 of NIST Special Publication 800-53. The plan should ensure that all Agency .gov domains are DNSSEC signed by December 2009.
[…] Now I am all for DNSSEC becuase at this time it is the best working model to reduce the risk that threaten traditional DNS. My concern is how is this “mandate” going to be implemented? DNSSEC is not a simple task to deploy and I can’t imagine that anyone is claiming that it won’t be a big deal. You have the RRSIG, the DNSKEY, the DS, and the NSEC which are all new records that need to be created and validated. In adition to the control of the private key used for signing. InfoSecEvents has more about the top level .GOV domains moving to DNSSEC here. […]