The U.S. government issued a memo last week mandating that all major agencies adopt a proposed technology to enable trusted lookups of domain information by December 2009.
The technology, known as DNSSEC, promises to secure the domain name system (DNS) against attempts to subvert the infrastructure, such as the cache poisoning attack found by researcher Dan Kaminsky earlier this year. However, the system requires public-key cryptography to secure communications with names servers as well as validate the identity of authoritative servers. Because of the technical hurdles -- and the political problems in designating companies or governments to hold the keys to the domain-name system -- both governments and private sector companies have held off deploying DNSSEC for more than a decade.
In a memo (pdf) to agency chief information officers, Karen Evans, Adminstrator for the Office of E-Government and Information Technology at the White House's Office of Management and Budget, said its time to lock down the infrastructure.
"The Government's reliance on the Internet to disseminate and provide access to information has increased significantly over the years, as have the risks associated with potential unauthorized use, compromise, and loss of the .gov domain space," Evans wrote.
While many security professionals see DNSSEC as a possible solution to the problems posed by the trust issues inherent in the domain name system, it is a controversial one. Rather than attempt to adopt the technology as a solution to the attack described by Kaminsky, DNS infrastructure experts recommended implementing source-port randomization as a workaround and as a solution far more likely to be deployed quickly. Because so much of the Internet relies on the domain-name system, co-opting the infrastructure can allow attackers significant control over a victim's networks, including intercepting e-mail messages and providing malicious update services.
The OMB has set a deadline for initial implementation plans of September 5, with mutually agreed on final plans completed by October 24, 2008.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos