Delegation Request | DNSSEC Performance | Vendor Page | FAQ | Current Status of SNIP Tree | Snapshot of DNSSEC deployment in the .gov Domain
FOSE 2012 DNSSEC Workshop Presentations posted.
The presentation slides from the FOSE 2012 DNSSEC workshop are now online at the DNSSEC-Deployment Initiative's website.
Email List for .gov Admins: gov-dns@nist.gov
A new Email list has been set up for .gov administrators to discuss issues in DNSSEC deployment in .gov. Membership is restricted to government employees (Federal, state and local) and contractors directly supporting a .gov deployment. To join, send an email message to gov-dns-request@nist.gov with "subscribe " in the message subject.
New Email List for USG Email Server Admins: gov-email-ops@nist.gov
A new Email list has been set up for USG administrators to discuss issues relating to operating email services for a government agency. Membership is restricted (like gov-dns) to government employees (Federal, state and local) and contractors directly supporting a .gov deployment. Joining is the same as the gov-dns list: To join, send an email message to gov-email-ops-request@nist.gov with "subscribe " in the message subject.
The
Secure Naming Infrastructure Pilot (SNIP) is a joint project
involving NIST,
SPARTA
Inc, and the Dept.
of Homeland Security. The main goal is to provide a test domain
for participants to use and become familiar with the DNS Security
Extensions (DNSSEC) and how they will affect current DNS operations.
It is expected that USG DNS operators will use a basic SNIP
delegation from the SNIP domain (dnsops.gov) and attempt to mirror
their current operational procedures they currently do with their
.gov domain. Then sign this new zone with DNSSEC, and develop and
test new procedures required to maintain a digitally signed DNS zone.
The driving force behind the creation of the SNIP project is the new Federal Information Security Management Act (FISMA); a set of security controls that all federal agencies must implement. One of the new controls is the deployment of DNSSEC to zone information in the .gov domain (maintained by the GSA). The SNIP was designed to help agency DNS administrators to learn and deploy DNSSEC on their zones in order to meet the new controls.
In addition to being an education and training tool, the SNIP will also be available for some DNS and DNSSEC experimentation. Any experiments that are conducted using the SNIP infrastructure will be designed to have minimum impact on operations.
In addition to standard network connectivity, the SNIP servers will have an additional IPv6 enabled Internet2 connection. This will allow the dnsops.gov zone to be reachable through both IPv4 and IPv6 (for those with an Internet2 connection). This will also provide the opportunity to observe and test IPv4-IPv6 migration issues that will also be of interest to the USG administrator community.
The main part of the SNIP domain tree is the dnsops.gov zone. SNIP administrators will maintain the dnsops.gov root and act as a registrar for signed subzones. Participants will act as delegated subzones from the dnsops.gov parent zone. Participants can set up their infrastructure to best mirror their current DNS operations. That way, DNSSEC processes can be made to conform to current practices at an organization, not cause a total revolution in procedures.
The SNIP infrastructure will look similar to most other typical DNS deployments:
The SNIP dnsops.gov domain is open to any organization that has a .gov delegation. The main objective is to get agencies and organizations on the track to deploy DNSSEC on their infrastructure and meet FISMA requirements for IT security. There are different levels of participation and agencies are not required to participate.
For others wishing to participate, there is the domain dnsops.biz available for delegations. This is for those organizations which may not qualify or do not wish to have a delegation under dnsops.gov. Both are maintained by the SNIP administration team and have the same set of servers. Currently both zones have the same DNSSEC signing policy and key generation policy, but that may change in the future with regards to experimentation of procedures and tools.
Go to the SNIP registration page to get started. The SNIP admnistrators will work with your organization to get your zone integrated into the signed SNIP tree. Possible participation levels are:
The current SNIP trust anchors are available for those wishing to configure it in validating resolvers. This does not require any participation to configure the SNIP trust anchors. However, it may be necessary to subscribe to the SNIP mailing list or check back frequently to update the trust anchors. At least one rollover of one of the trust anchors will be performed every year. Which trust anchor (dnsops.biz or dnsops.gov) and the details will be announce before the rollover takes place.
DNSSEC-Tools A set of administrator tools and end user plug-ins that use DNSSEC (Developed by Sparta Inc.)
Questions
or comments should be sent to the
SNIP admin
NIST
is an agency of the U.S.
Department of Commerce. Privacy
policy / security
notice / accessibility
statement / Disclaimer
/ Freedom of
Information Act (FOIA) / No
Fear Act Data
Date created 6/2/2008. Last updated 4/11/2012.
