The Secure Naming Infrastructure Pilot (SNIP)

Participation | DNSSEC Performance | Vendor Page | FAQ | Current Status of SNIP Tree | NEW Snapshot of DNSSEC deployment in the .gov Domain

Overview

Updated: The DNSSEC Deployment Initiative will again host a DNSSEC day at FOSE 2010. Agenda and registration information is now online. Plus a DNSSEC Pavillion on the expo floor!

The Secure Naming Infrastructure Pilot (SNIP) is a joint project involving NIST, SPARTA Inc, and the Dept. of Homeland Security. The main goal is to provide a test domain for participants to use and become familiar with the DNS Security Extensions (DNSSEC) and how they will affect current DNS operations. It is expected that USG DNS operators will use a basic SNIP delegation from the SNIP domain (dnsops.gov) and attempt to mirror their current operational procedures they currently do with their .gov domain. Then sign this new zone with DNSSEC, and develop and test new procedures required to maintain a digitally signed DNS zone.

The driving force behind the creation of the SNIP project is the new Federal Information Security Management Act (FISMA); a set of security controls that all federal agencies must implement. One of the new controls is the deployment of DNSSEC to zone information in the .gov domain (maintained by the GSA). The SNIP was designed to help agency DNS administrators to learn and deploy DNSSEC on their zones in order to meet the new controls.

In addition to being an education and training tool, the SNIP will also be available for some DNS and DNSSEC experimentation. Any experiments that are conducted using the SNIP infrastructure will be designed to have minimum impact on operations.

In addition to standard network connectivity, the SNIP servers will have an additional IPv6 enabled Internet2 connection. This will allow the dnsops.gov zone to be reachable through both IPv4 and IPv6 (for those with an Internet2 connection). This will also provide the opportunity to observe and test IPv4-IPv6 migration issues that will also be of interest to the USG administrator community.

Basic Structure

The main part of the SNIP domain tree is the dnsops.gov zone. SNIP administrators will maintain the dnsops.gov root and act as a registrar for signed subzones. Participants will act as delegated subzones from the dnsops.gov parent zone. Participants can set up their infrastructure to best mirror their current DNS operations. That way, DNSSEC processes can be made to conform to current practices at an organization, not cause a total revolution in procedures.

The SNIP infrastructure will look similar to most other typical DNS deployments:

Experiments

How Can I Participate?

The SNIP dnsops.gov domain is open to any organization that has a .gov delegation. The main objective is to get agencies and organizations on the track to deploy DNSSEC on their infrastructure and meet FISMA requirements for IT security. There are different levels of participation and agencies are not required to participate.

For others wishing to participate, there is the domain dnsops.biz available for delegations. This is for those organizations which may not qualify or do not wish to have a delegation under dnsops.gov. Both are maintained by the SNIP administration team and have the same set of servers. Currently both zones have the same DNSSEC signing policy and key generation policy, but that may change in the future with regards to experimentation of procedures and tools.

Go to the SNIP registration page to get started. The SNIP admnistrators will work with your organization to get your zone integrated into the signed SNIP tree. Possible participation levels are:

The current SNIP trust anchors are available for those wishing to configure it in validating resolvers. This does not require any participation to configure the SNIP trust anchors. However, it may be necessary to subscribe to the SNIP mailing list or check back frequently to update the trust anchors. At least one rollover of one of the trust anchors will be performed every year. Which trust anchor (dnsops.biz or dnsops.gov) and the details will be announce before the rollover takes place.

Resources

• Progress of DNSSEC Deployment in the .gov domain.

• SNIP delgation request page

• Current SNIP Trust Anchors

• NIST Special Publication 800-81 (pdf file)

• FISMA Implementation Project (NIST)

• DNSSEC-Tools A set of administrator tools and end user plug-ins that use DNSSEC (Developed by Sparta Inc.)

• DNSSEC.NET Information Clearinghouse

Associated Projects

• DNSSEC Deployment Project Webpage

• DNSSEC deployment on Internet2

• DNSSEC and FISMA

Questions or comments should be sent to the SNIP admin

NIST is an agency of the U.S. Department of Commerce. Privacy policy / security notice / accessibility statement / Disclaimer / Freedom of Information Act (FOIA) / No Fear Act Data
Date created 6/2/2008. Last updated 2/5/2010.