NIST logo

DNSSEC as it relates to the FISMA controls

Note: This is not meant to be a FISMA tutorial, nor is any of this information guaranteed to be 100% accurate. This is only meant to be a guide and collection of pointers to help a DNS administrator who needs to meet one or more FISMA controls with regards to the DNS protocol. There may be other controls that apply to the system host and/or institutional policies and procedures that also apply. Please see the NIST FISMA Implementation Project webpage for more detailed information.

The Federal Information Security Management Act (FISMA) (Title III of the E-Government Act) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

At its heart is FIPS 199: Standards for Security Categorization of Federal Information and Information Systems which lays out the three categories for all Federal IT systems: Low, Moderate, and High and FIPS 200: Minimum Security Requirements for Federal Information and Information Systems which lays out the minimum requirements for Federal IT systems based on a risk-based process of selecting security controls. The individual controls that apply for each category are listed in NIST Special Publication 800-53 (revision 4): Recommended Security Controls for Federal Systems. Of these, four controls relate to lookup services (i.e. DNS) in particular:

Checking DNS Related FISMA Controls

There is another guidance document issued as part of the FISMA controls: NIST Special Publication 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. This guide provides comprehensive assessment procedures for all security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. Like NIST SP800-53r2, this guide breaks down the assessment procedures for each security control listed in NIST SP800-53r2 and gives guidance for checks depending on the control and security category of the system.

Questions about DNSSEC deployment?

The 2008 announcements from OMB on DNSSEC deployment in the .gov realm may result in several questions in an organization. Please see the new NIST DNSSEC FAQ first for a possible solutions to questions. While the questions and answers may not meet the exact nature of your question, it may provide a helpful guide to finding more information on issues important to your deployment of DNSSEC.

What about SCAP?

There is ongoing work to produce DNS server checklists and configuration elements as SCAP content. This webpage will be updated as this new material is produced.

What about NIST Special Publication 800-57?

NIST Special Publication 800-57: Recommendations for Key Management is a three part publication that gives guidance for cryptographic key sizes base on intended use, future security requirements and protocol use. The first two parts of this Special Publication have been released. The third part will give guidance for specific application use including DNSSEC. As of the time of writing, part three of NIST SP800-57 has not had a final release.

NIST Special Publication 800-57 is not listed as an official FISMA guidance document. However, the purpose of the publication and its contents cover Federal IT regulations with regard to cryptographic key sizes for various applications and a road map for future minimum security requirements. It would be a good idea for all Federal IT administrators to consult NIST SP800-57 when generating cryptographic keys for a particular application. The first part of SP800-57 has a general road map for key sizes for use with all protocols. However, early deployments of DNSSEC reported errors with large DNS responses being dropped or blocked by middleboxes such as firewalls, forwarders and some older caches. Given the short-term nature of DNS responses, there is an extension to the deadline for 1024 bit RSA keys in DNSSEC, but for Zone Signing Keys (ZSK's) only. This deadline is extended until 2015, when it is expected that digital signatures using Elliptic Curve Cryptography will be specified for use with DNSSEC.


Recommended Minimum Cryptographic Strength for DNSSEC

Year

Algorithm Suites

KSK Sizes

ZSK Sizes

Now->2015

RSA/SHA-1

2048 bits

1024 bits

2010->2015

RSA/SHA-256

2048 bits

1024 or 2048 bits

2015 and Beyond

ECDSA
(Curve P-256 or Curve P-384)

f = 224-255 bits

f = 224-255 bits

A zone administrator should not immediately migrate to a new algorithm suite (e.g. RSA/SHA-256 or possibly ECDSA) without a transition period when both the new and old algorithm suites are in use. This is for backwards compatibility with clients (DNSSEC validators) that have not been upgraded to understand the newly defined algorithm suite. During this time, older clients will continue to validate signatures using the older algorithm until they are upgraded and can validate the newly deployed algorithm suite. A more detailed guide is covered in NIST SP 800-81 but others may be available as well.


DNSSEC Deployment Initiative logoQuestions or comments should be sent to the SNIP admin

NIST is an agency of the U.S. Department of Commerce.

Privacy policy / security notice / accessibility statement / Disclaimer / Freedom of Information Act (FOIA) / Environmental Policy Statement / No Fear Act Policy / NIST Information Quality Standards / Scientific Integrity Summary

Date created 04/05/2012. Last updated 10/22/2013.