14 DAY TRIAL // The White House released a memo, signed by Karen Evans, the Administrator for the Office of E-Government and Information Technology, which instructs all government agencies to prepare for securing the federal government’s DNS infrastructure over the next year.
The document outlines a plan for the agencies to deploy the DNSSEC technology in order to secure government networks and communications. In this regard, all top level .gov domains will be secured with DNSSEC by January 2009 and all the .gov sub-domains need to be secured by December 2009.
In order to achieve this, all federal agencies have to develop their own plans of action by October 2008. Such a plan needs to specify the number of second level .gov domains operated by the agency and DNS administration information for each of them (in house, third-party provider, etc.), the currently used DNS server implementations like BIND, NSD etc., infrastructure impediments in DNSSEC deployment and possible resolutions for them.
Eventually, such a plan will contain all information from necessary acquisitions, training, tests, server priorities, to implementation and deployment milestones. The memo explains the necessity of such measures - "The Government’s reliance on the Internet to disseminate and provide access to information has increased significantly over the years, as have the risks associated with potential unauthorized use, compromise, and loss of the .gov domain space".
Earlier this year we reported about a major security vulnerability in the DNS system discovered by security researcher Dan Kaminsky. The flaw can allow attackers to inject fake entries into legit DNS servers. In addition, the patch released to address this issue, which was deployed on the majority of DNS servers world-wide, proved inefficient. One of the alternative solutions that we mentioned was DNSSEC, an encryption-based DNS service that uses public-keys to secure DNS traffic.
Even though already adopted by some governments around the world, DNSSEC requires more resources than regular DNS as well as a more solid infrastructure, requirements which slow down the process of implementation. The recent incidents like the DNS cache poisoning of China NETCOM’s DNS servers in order to distribute malware serve to show the potential dangers users and sensitive information can be exposed to.