This is a page containing various papers, publications and presentations produced by NIST about the SNIP project, DNSSEC and how DNSSEC is used/mandated within the US Federal Government. This page will be updated with new material when available.
NIST
Special Publication 800-81r1: Secure Domain Name System
(DNS) Deployment Guide:
This
Special Publication is aimed to provide guidance and recommendations
for US Federal zone admnistrators, but contains information and best
common practices that could apply to all DNS zone administrators.
SP 800-81r1 is not a official regulation in itself, but is used as a
reference in NIST SP 800-53 (the FISMA controls). There is also the
following unofficial supplemental material:
Unofficial Errata (constantly updated).
Mapping NIST SP 800-81r1 Checklist Items to DISA DNS Configuration Checklist (and FISMA controls) (PDF)
Tips on meeting NIST SP 800-81r1 Checklist Items using:
Secure64 (PDF)
NSD (PDF)
Microsoft Server 2008 R2 (PDF)
NIST
Special Publication 800-57 Part 3: Recommendations for Key
Management Application Specific Guidance.
Special
Publication 800-57 provides cryptographic key management guidance. It
consists of three parts. Part 3 provides guidance when using
cryptographic features of current systems and provides guidance for
system procurement, system installers, administrators and end users.
R. Chandramouli and S. Rose, "Open
Issues in Secure Domain Name System Deployment" (PDF)
IEEE Security and Privacy Sept/Oct 2009.
S.
Rose and A. Nakassis. "Minimizing
Information Leakage in the DNS" (PDF) IEEE Network,
March/April 2008.
R. Chandramouli
and S. Rose, "Challenges
in Securing the Domain Name System" (PDF) IEEE
Security and Privacy Jan/Feb 2006.
R.
Chandramouli and S. Rose, "An
Integrity Verification Scheme for DNS Zone file based on Security
Impact Analysis" (PDF) 21st Annual Computer Security
Applications Conference, Nov. 2005.
R. Arends, R. Austein, M. Larson, D. Massey,
and S. Rose, "DNS Security Introduction and Requirements",
RFC
4033, March 2005.
R. Arends,
R. Austein, M. Larson, D. Massey, and S. Rose, "Resource Records
for the DNS Security Extensions", RFC
4034, March 2005.
R. Arends,
R. Austein, M. Larson, D. Massey, and S. Rose, "Protocol
Modifications for the DNS Security Extensions", RFC
4035, March 2005.
S. Rose and
W. Wijngaards. "Update
to DNAME Redirection in the DNS" Work in Progress
S.
Rose. "Applicability
Statement: DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry"
Work in Progress.
S. Crocker and
S. Rose "Signaling
Cryptographic Algorithm Understanding in DNSSEC" Work in
Progress.
The following are some past presentations
and material from other presentations. Feel free to use this
material as needed in producing your own in house training/briefing.
Given the rapid pace of deployment, some of this material may be out
of date or supersceeded by new material. Please take that into
consideration before reading and be sure to consult the latest news
and documentation about DNSSEC.
Basic
DNSSEC briefings:
High-level
(PDF): Aimed at non-DNS experts with limited technical
knowledge. Covers the basics of DNSSEC such as what it
provides, how it works (at a high level) and basic deployment
history.
Lower-level
(PDF): Aimed at a technical audience who may know the
basics of DNS. Goes into greater detail about how DNSSEC
works.
FISC
Presentation (PDF): Originally presented June 3rd, 2009 at
the Federal Information Security Conference in Colorado Springs CO.
General DNSSEC overview with lessons learned in early deployments.
JointTechs Winter 2011 DNSSEC tutorial
(PDF): Aimed at admnistrators and those with basic DNS knowledge. A
quick overview of DNSSEC and how DNSSEC works. Originally give at
the JointTechs Winter 2011 meeting.
DNSSEC Workshop Course
(PDF): Aimed at admnistrators and those with advanced DNS knowledge. An in-depth training
course with hands-on portions for generating a signed zone and configuring a BIND server to
be DNSSEC-aware.
Secure
Naming Infrastructure Pilot (SNIP) briefing:
SNIP-Testbed
(PDF): Originally presented March 12th, 2009 GovSec
conference. Overview of the Secure Naming Infrastructure Pilot,
what it provides and how to participate.
DNSSEC
and FISMA:
FOSE
2011 Presentation (PDF): Originally presented at the
2011 FOSE conference. Does not cover FISMA in general, but
calls out the DNS related FISMA controls found in NIST
SP 800-53r3.
Secure64
"DNSSEC Declassified" Seminar Presentation (PDF):
Originally presented July 27th, 2010 at Secure64 sponsored event.
Contains same material as the FOSE presentation, with a general
(very) high level overview of FISMA. Presentation also contains
some lessons learned from early .gov deploymements and the current
status of DNSSEC in the .gov domain.
DHS Cybersecurity Conference and Workshop (PDF)
Originally presented Oct. 5th, 2011 at the DHS Cybersecurity Conference and Workshop in Baltimore MD. This presentation provides
some data on the continuous monitoring program by DHS FNS of DNSSEC deployment within the US Federal government.
Other:
What
to Ask Vendors About DNSSEC (PDF): Originally presented March
12th, 2009 GovSec conference. Contains a list of questions
network administrators should have in mind when considering DNSSEC
products or services for their enterprise.
While not strictly speaking documents, the following software packages are from the original NIST DNSSEC project page. These software packages are no longer fully supported, but the SNIP admins are available to answer some questions:
Anonymizer Tool v1.0 (Java)
Secure Zone Integrity Checker v1.2 (Java tar file)
Secure Zone Integrity Checker v1.2 (Java .zip file)
NIST Traffic Capture Tool (C - requires libpcap and libpthread)
NIST QuerySim DNS Workload Simulation tool Version 0.9.2
Traffic monitoring Tool (requires libpacp and libpthread)
Questions
or comments should be sent to the
SNIP admin
NIST
is an agency of the U.S.
Department of Commerce. Privacy
policy / security
notice / accessibility
statement / Disclaimer
/ Freedom of
Information Act (FOIA) / No
Fear Act Data
Date created 08/05/2008. Last updated
1/30/2012.
