The U.S. military's years-long effort to deploy DNS Security is a good example of how difficult it is for enterprises to retrofit their networks with security fixes to the Internet's underlying protocols.
An early and ongoing participant in the development of DNS Security, the Defense Department has worked both directly and through contractors to prepare .mil to be the Internet's first domain to deploy DNS Security. Yet despite efforts going back at least five years, .mil remains vulnerable to hackers who want to spoof one of its Web sites by exploiting well-known holes in DNS.
DNS Security adds digital signatures and public key encryption to the DNS' hierarchical, distributed database system to verify that a domain name matches a corresponding IP address. Developed by the Internet Engineering Task Force, DNS Security was issued as a proposed standard in November, 2000.
Since then, the Defense Information Systems Agency has been working to deploy DNS Security across the thousands of applications servers in use today on .mil that provide Web, e-mail and other services. The upgrade involves migrating all of these servers to the latest version of Berkeley Internet Name Domain (BIND) software, 9.2.1, which supports DNS Security.
DISA officials say they are deploying DNS Security in two phases. First they are rolling out the Secret Key Transaction Authentication for DNS, dubbed TSIG. TSIG provides transaction-level authentication for the dynamic updates coming from DNS clients as well as the responses sent by DNS servers. Next, DISA will deploy Signed Zones, which uses digital signatures to verify information for a particular spot in the DNS hierarchy.
Together, TSIG and Signed Zones will ensure that the .mil "domain name information and transactions are genuine,'' a DISA spokesman says. "DISA plans to implement both Transaction Authentication and Signed Zone as soon as technically feasible.''DISA is rolling out TSIG on DNS servers under its control at the highest levels of the .mil hierarchy, a process that will be completed by the end of the calendar year. DISA then plans to coordinate with the military's Joint Staff to address TSIG deployment on DNS servers under the control of various military services and agencies.
DISA will not start signing zones under the .mil domain until the IETF finalizes a companion specification called Delegation Signer Resource Record. Delegation Signer streamlines how parent domains hand out keys to child domains. The IETF is expected to complete Delegation Signer before the end of the year.
"We strongly support the [Delegation Signer] record, and DISA's implementation will depend on its stability,'' the DISA spokesman says. "With [Delegation Signer] support available, several issues with DNS Security key management will become much simpler and will be better for DOD in the long run.''DISA says it will begin signing the .mil zone once Delegation Signer support is stable in BIND 9.3. That's not likely to happen until the middle of 2003, experts say.
So far, DISA has run into some issues with TSIG, which requires DNS administrators to manage cryptographic keys. The agency is looking for management software to ease the burden of DNS Security key management. It's also beefing up training and setting policies for its DNS administrators.
While TSIG deployments have had little impact on DISA's networks, the agency says it's gearing up for a significant increase in system load and network bandwidth requirements with Signed Zones.
"We've conducted extensive load and performance testing of the BIND 9 software releases, and we're confident that it will be usable and stable in the field,'' the DISA spokesman says. "There will likely be some need for hardware upgrades, but other security requirements will also affect DNS servers. For example, we expect to require that all DNS servers in DOD be dedicated to performing only DNS functions with minimal other software installed for security and administration. If dedicated DNS servers are in use, then we expect most modern computer systems can sustain the expected load even with the addition of DNS Security Signed Zones.''Once DISA has deployed both aspects of DNS Security, the agency plans to help the U.S. federal government with deployment across the .gov domain.
"We are active participants in the IETF and have held a number of DNS Security workshops,'' the DISA spokesman says. "We are documenting our experiences for use by other organizations as they implement DNS Security functionality in the future.''