Everyone, On August 22, the US federal Office of Management and Budget (OMB) issued a memo to US federal government agencies, announcing that the .gov top-level domain would be DNSSEC-signed by the end of 2008 and directing agencies with domains under .gov to implement DNSSEC before the end of 2009.
The memo has generated significant attention and ISC has been receiving questions about what it means to us, our customers, and DNS operators in general. The full text of the memo can be found at: http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf Document referred to in the memo: http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf "Recommended Security Controls for Federal Information Systems" The memo only directly affects operators and users of domains under .gov. There is no requirement for use of DNSSEC in any of the commercial TLDs, like .com, net, or .org. As with recent announcements that operators of other TLDs (such as .se and .org) are signing their zones with DNSSEC, the memo is a warning that DNSSEC can no longer be ignored and organizations should be investigating and planning to implement DNSSEC as an important part of improving DNS security. Under the specific plans for .gov, the .gov zone will be signed in production by the end of 2008. The OMB memo requires that operators of subdomains for .gov have to: * have an initial plan for signing their zones by Sept. 5, 2009 * have a final plan after discussion with an OMB review group by Oct. 24. * sign their .gov subdomains in production by Dec. 2009 * include in the plan: * their .gov subdomains * how their DNS is structured and managed (in-house, outsource, etc.) * how they will provision DNSSEC An additional consequence of this step, besides making DNSSEC more prominent, will undoubtedly be to increase available experience with DNSSEC, allowing other operators and users to draw on it as they move forward with their own DNSSEC deployments. ISC has been a leader in advancing the technical standards and practices promoting DNSSEC, and provides several kinds of aid towards DNSSEC deployment for the Internet. ISC first implemented DNSSEC in BIND version 9.3, and has been using BIND with DNSSEC in ISC deployed services since 2005. ISC also provides hands-on training for interested operators about how to use it as part of the Advanced DNS Topics training course offered by ISC. Additional information can be found on our website at: * DNSSEC in 6 Minutes presentation http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf * DNSSEC Introduction and Resources http://www.isc.org/sw/bind/docs/dnssec.html ISC believes that DNSSEC is the only viable way to fully protect DNS data from cache poisoning and other falsification of DNS data between you and your users. Stay tuned for more information on how ISC can assist your organization in deploying DNSSEC for the benefit of your users.
