News

NIST Updates DNS Security Guidelines

The National Institute of Standards and Technology (NIST) is updating its recommendations for meeting the unusual security challenges presented by the domain name system (DNS), which underpins much of the Internet by mapping user-friendly domain names to numerical IP addresses.

"The domain name data provided by DNS is intended to be publicly available to any computer located anywhere in the Internet," NIST states in Special Publication 800-81, "Secure Domain Name System Deployment Guide." "Because DNS data is meant to be public, preserving the confidentiality of DNS data pertaining to publicly accessible IT resources is not a concern. The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit."

Achieving those goals requires good network security practices that encompass up-to-date software patches, process isolation and fault tolerance, and the use of the more specific DNS Security Extensions (DNSSEC) to digitally sign and authenticate DNS query and response transactions.

NIST outlined the following basic steps for deploying DNSSEC for zone information:

  • Install a DNSSEC-capable name server.
  • Check zone file(s) for possible integrity errors.
  • Generate asymmetric key pairs for each zone and include them in the zone file.
  • Sign the zone.
  • Load the signed zone onto the server.
  • Configure the name server to turn on DNSSEC processing.
  • Send a copy of the public key to the parent for secure delegation (optional).

In addition to minor textual corrections, the guidance includes the following revisions:

  • Updated recommendations for cryptographic parameters based on NIST Special Publication 800-57.
  • A discussion of NSEC3 Resource Record in DNSSEC.
  • A discussion of DNSSEC in split-view deployments.
  • Minor fixes of examples and text.
  • Examples based on the name server daemon and Berkeley Internet Name Domain software.

NIST will hold two public commenting periods. The first one ends March 31; those interested in participating can send comments on the updated guidelines to [email protected].

In addition to integrity and authentication, ensuring the availability of DNS services and data is also important. DNS components are subject to denial-of-service attacks that seek to block access to the domain names. The NIST document provides guidelines for configuring deployments to prevent many of the denial-of-service attacks targeted at DNS.

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).

comments powered by Disqus

Featured

  • Death of the Dev Machine?

    Here's a takeaway from this week's Ignite 2020 event: An advanced Azure cloud portends the death of the traditional, high-powered dev machine packed with computing, memory and storage components.

  • COVID-19 Is Ignite 2020's Elephant in the Room: 'Frankly, It Sucks'

    As in all things of our new reality, there was no escaping the drastic changes in routine caused by the COVID-19 pandemic during Microsoft's big Ignite 2020 developer/IT pro conference, this week shifted to an online-only event after drawing tens of thousands of in-person attendees in years past.

  • Visual Studio 2019 v16.8 Preview Update Adds Codespaces

    To coincide with the Microsoft Ignite 2020 IT pro/developer event, the Visual Studio dev team shipped a new update, Visual Studio 2019 v16.8 Preview 3.1, with the main attraction being support for cloud-hosted Codespaces, now in a limited beta.

  • Speed Lines Graphic

    New for Blazor: Azure Static Web Apps Support

    With Blazor taking the .NET web development world by storm, one of the first announcements during Microsoft's Ignite 2020 developer/IT event was its new support in Azure Static Web Apps.

  • Entity Framework Core 5 RC1 Is Feature Complete, Ready for Production

    The first release candidate for Entity Framework 5 -- Microsoft's object-database mapper for .NET -- has shipped with a go live license, ready for production.

Upcoming Events