The White House Office of Management and Budget (OMB) has issued a mandate to address DNS security, affecting all government top-level domains (.gov), to federal agencies. The deadline for the mandate is January 2009.
OMB issues mandate to use DNSSEC.(IMG:Wikipedia)
“The Government’s reliance on the Internet to disseminate and provide access to information has increased significantly over the years, as have the risks associated with potential unauthorized use, compromise, and loss of the .gov domain space,” said Karen Evans, the Administrator of the Office of E-Government and Information Technology, in the memo.
Because the top-level domain .gov – like every other top-level domain – requires DNS to translate an IP address into a URL address, and vice versa, it is important to secure it against attack. The attack, while not mentioned by name in the memo, is clear. The move to DNSSEC is to help mitigate the DNS issues discovered and reported by Dan Kaminsky.
“This memorandum describes existing and new policies for deploying Domain Name System Security (DNSSEC) to all Federal information systems by December 2009. DNSSEC provides cryptographic protections to DNS communication exchanges, thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet,” Evans explains.
DNSSEC, or Domain Name System Security, digitally signs DNS requests, preventing forgery and poisoning attacks on DNS itself, allowing users (browsers more than likely) to check and prove that the signed DNS request originated from the authoritative DNS server on that domain.
If you remember, this was exactly the flaw Kaminsky described, and the same flaw that got so much attention after all the major DNS vendors moved to patch vulnerable DNS.
However, while the patched DNS servers will make it hard for an attacker to succeed, it does not make the attack impossible, only DNSSEC can help with that.
All government agencies must have proposals and plans of action turned in by September 05, with final plans in place by October 24. Top-level .gov domains must have DNSSEC by January 2009, while .gov subdomains must have DNSSEC in place by December 2009.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)