DNSSEC

DNSSEC (DNS Security Extensions) is a set of specifications used to add an additional layer of security to the Domain Name System (DNS). DNSSEC was designed to prevent specific types of popular attacks on the Internet and protect against these threats to the Domain Name System. The specific extensions provide origin authentication of DNS data, data integrity, and authenticated denial of existence. [Source: Webopedia]

DNSSEC and .edu

On August 2, 2010, EDUCAUSE and VeriSign announced the completion of a project to deploy DNSSEC within the .edu portion of the Internet, which EDUCAUSE manages under a cooperative agreement with the U.S. Department of Commerce. Institutions whose domain names end in .edu will now be able to utilize digital signatures to mitigate certain DNS security vulnerabilities, such as cache poisoning and man-in-the-middle attacks.

The University of Pennsylvania recently announced its successful implementation institution-wide of DNSSEC technology. Read the press release for additional details.

Adopting DNSSEC in the Higher Education Institution

What the CIO Should Know

The adoption of DNSSEC is another opportunity for higher education to show leadership in the use and advancement of the Internet. Every decision maker in the higher education IT community should know about DNSSEC and consider adding it to the maintenance schedule. Colleagues that have already signed their zones include berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu, internet2.edu, and ucaid.edu.

What the Technical Staff Should Know

For institutions that host their own DNS, the technical team will need to learn about signing, upgrade to DNSSEC-aware DNS software, and proceed with signing their zones. For institutions whose DNS is hosted by an ISP, the technical staff will need to find out when the ISP plans to support DNSSEC and the enhanced reliability and stability it provides. Learn more about DNSSEC by reviewing the resources on this page and by browsing DNSSEC.net and the VeriSign resource page.

Technical Resources

• Tool Guide Series on DNSSEC, a VeriSign publication detailing how to DNSSEC-enable your DNS zones using BIND, OpenDNSSEC, DNSSEC TOOLS, and ZKT.
• NIST Secure Domain Name System (DNS) Deployment Guide - (August 2009 Draft) This document provides deployment guidelines for securing DNS within an enterprise.
• DNSViz, a tool for visualizing the DNSSEC status of a DNS zone.
• DNSSEC Debugger, a DNSSEC debugging tool from VeriSign Labs.
• DNSSEC HOWTO, a "tutorial in disguise".
• DNSSEC Key Maintenance Analysis, a document that provides advice on DNSSEC key management.
• DNSSEC Validator, a Firefox add-on (still in alpha, not yet reviewed by Mozilla, use at your own risk).

General Resources

• VeriSign announced that they have achieved a critical DNSSEC milestone by deploying security extensions in .com top level domain. March 31, 2011.
• DNSSEC for the .edu Domain, EDUCAUSE Live! April 29, 2010 - a presentation explaining DNSSEC: what it is, why you need to implement it, who has already implemented it, and how to get started.
• 7 Things You Should Know About DNSSEC, EDUCAUSE, January 2010.
• Internet2 DNSSEC Special Interest Group (SIG) is a collaborative forum for the research and education community to share information and support each other in deploying DNSSEC
• DNSSEC Coalition is a global group of registries and industry experts whose mission is to work collaboratively to facilitate adoption of Domain Name Security Extensions (DNSSEC) and streamline the implementations across Domain Name Registries.
• DNSSEC Deployment Initiative - This initiative works to encourage all sectors to voluntarily adopt security measures that will improve security of the Internet’s naming infrastructure, as part of a global, cooperative effort that involves many nations and organizations in the public and private sectors. The U.S. Department of Homeland Security Science and Technology (S&T) Directorate provides support for coordination of the initiative.This website provides case studies, guidelines, a learning center, and a DNSSEC This Month newsletter.
• DNSSEC Deployment Initiative Roadmap (2007 release) - This roadmap, revised March 16, 2007, describes the basic goal for deployment; the current state of practice, gaps and barriers; a set of sequences and dependencies; and next steps.
• DNSSEC - DNS Security Extensions - This website provides important background information on the history and development of the DNSSEC protocol. It also contains references to all major DNSSEC projects, presentations, research work, DNSSEC enabled software, and IETF reference material.
• DNSSEC: The Protocol, Deployment, and a Bit of Development - This article by Miek Gieben (NLnet Labs) offers a useful introduction to the protocol.
• The FISMA Implementation Project promotes the development of key security standards and guidelines to support the implementation of and compliance with the Federal Information Security Management Act (FISMA).
• NIST DNSSEC Project - This website provides information on NIST's contribution to securing DNS is in aiding deployment and determining the impact of the new security transactions on server performance.
• The USG Secure Naming Infrastructure Pilot (SNIP) is a joint project involving NIST, SPARTA Inc, and the Department of Homeland Security. The main goal is to provide a test domain for participants to use and become familiar with the DNS Security Extensions (DNSSEC) and how they will affect current DNS operations.

Updated August 2011