In late August the White House mandated that all of the agencies in the US government have functioning DNSSEC capabilities deployed and operational by December 2009. I am suggesting here that we, as a community, commit to the same timetable. I call upon VeriSign and other registries to bring up DNSSEC support by January 2009. While DNSSEC is not the best ultimate solution, it is the best option currently available. Here are the additional resources suggested by the White House:
The following resources provide additional technical information and guidance to support your agency's DNSSEC deployment.
DNSSEC Deployment Plan Outline (Edited from that provided by the White House):
Section 1 - Enumerate Your Organizations Domains. Enumerate the second level domains beneath .com, .net (etc.) operated by your organization (or on behalf of your organization). Only the second level sub-domains need to be listed.
Section 2 - Identify Sources of DNS Services. For each domain listed above, describe if your DNS administration and server operation are provided in house, outsourced to a commercial provider (e.g., vendor), or delivered by other means (e.g., provided by another group or agency).
Section 3 - Describe DNS Server Infrastructure. Document the provider, vendor, or source of DNS server implementations within your organization (e.g., BIND, NSD, Microsoft Advanced Directory, etc.). Include in your estimate the number and versions of such servers per source.
Section 4 - Identify and Address Barriers. Document any perceived technical, contractual or operational barriers impeding deployment of DNSSEC, and required milestones for addressing each.
Section 5 - Train and Pilot. Review the activities of the USG Secure Naming Infrastructure Pilot at www.dnsops.gov and plan for your agency will participate in this pilot test bed, as well as associated training workshops.
Section 6 — Plan of Action and Milestones. Document your organizations plan of action and milestones to fully implement the policies described in this memo. In particular this plan should detail all key activities (e.g., acquisition if necessary, training, test, deployment, operations plans with priority given to citizen services and E-government domains especially those that collect any personally identifiable information) and milestones necessary to achieve the goal of fully operating DNSSEC signed .gov sub-domains by December 2009.
By Paul Parisi, Chief Technology Officer at DNSstuff.com
Related topics: DNS, DNS Security, Security
To post comments, please login or create an account.
Top-Level DomainsSponsored byMinds + Machines | |
DNSSponsored byNeustar UltraDNS | |
MobileSponsored bydotMobi | |
DNS SecuritySponsored byAfilias | |
IPv6Sponsored byNominum | |
SecuritySponsored byVerisign |
