NIST logo

Frequently Asked Questions

General

DNS Security Extensions

SNIP Community

SNIP technical questions


What does "SNIP" stand for?

"SNIP" stands for Secure Naming Infrastructure Pilot. As the name implies, it is a pilot program for deploying DNSSEC on a wide scale. The ultimate goal of the pilot is transition the SNIP pilot domain operations to the .gov TLD domain. In effect, SNIP is a distributed DNSSEC deployment workshop where new operations can be developed and tested before wide scale deployment on operational DNS zones.

The SNIP has now been closed to new delegations, and its role as a distributed testbed has been included in the new High Assurance Domain project, which includes a testbed sub-project.

What is DNSSEC?

"DNSSEC" is the DNS Security Extensions and comprises a set of new DNS Resource Records (RRs) and protocol operations to add origin authentication and data integrity to DNS data in responses. It was developed as an open standard in the IETF and deployment has begun on a number of DNS zones. DNSSEC adds digital signatures to DNSSEC data in responses that can be validated by clients using public keys associated with a particular zone. The DNSSEC was designed primarily to protect clients and caches against redirection and cache poisoning attacks.

What is FISMA?

"FISMA" stands for Federal Information Security Management Act (PDF file) and is the primary set of regulations regarding the implementation of various information security measures on IT systems used by the US Federal Government. FISMA classifies all Federal IT systems into 3 categories of severity based on importance: Low, Medium, and High. IT administrators must then deploy a range of IT security controls for each system based on which category a system is placed. The document that lays out the classification levels and means is FIPS 199 and NIST Special Publication 800-53 contains the security controls for each security classification.

Does FISMA apply to me?

FISMA applies to all US federal agencies. If you are unsure of your FISMA status, please ask your organization's compliance officer or the Office of Management and Budget (OMB) for guidance.


Where do I learn about DNSSEC?

The core specifications of DNSSEC are RFC4033, RFC4034 and RFC4035. More information, tutorials, and training material can be found at DNSSEC.NET, a good clearing house for general DNS related information. In addition, there is also NIST Special Publication 800-81, which is aimed at general DNS Security (as well as DNSSEC) deployment for federal agencies. NIST SP 800-81 is part of the supplemental guidance documentation for DNS related FISMA controls.

What DNS implementations can understand DNSSEC?

Currently, there are several open source and commercial DNS server implementations that understand DNSSEC. The most popular is BIND, maintained by ISC but there is also NSD maintained by NLNet Labs. BIND supports both authoritative and caching servers, while NSD is authoritative only.

Commercially, Nominum's ANS supports DNSSEC and is currently available. Microsoft has announced that DNSSEC is available in Microsoft Server 2008 R2.

This is not an exhaustive list of DNSSEC capable software. More information can be found on The DNSSEC Deployment Initiative's software tracker

What tools are available?

Note that DNSSEC tool development is in a state of constant flux. This is by no means an exhaustive list of available tools.

Good places to start finding DNSSEC-enabled tools is the DNSSEC Deployment Initiative's software tracker and DNSSEC.NET. These sites attempt to keep an up to date catelog of current DNSSEC implementations and tools. In addition, Sparta Ince maintains DNSSEC-tools.org, a collection of administrative tools and DNSSEC enabled plug-ins to popular Internet utilities.


How do I join?

The SNIP is currently closed to new delegations. Administrators and zone owners wishing to have a test delegation can go to the successor High Assurance Domain project and request a delegation. The HAD project is run by the same team as the SNIP team and the HAD testbed serves the same purpose.

What hardware/software do I need before I join?

It is hoped that participants will mirror their current DNS infrastructure as much as possible, but a the base minimum, systems capable of acting as a DNS server and DNSSEC-capable server software. Since the SNIP is a pilot, it is not necessary to mirror the real infrastructure one for one, but just enough to gain experience with the new procedures and tools needed to deploy DNSSEC.

In the case where an organization wishing to participate cannot provide all of the resources necessary to operate a delegation in the SNIP program, the SNIP/HAD team is willing to work with the organization and provide whatever assistance is necessary. However, the SNIP is not a hosting service and the participants are expected to perform the operations needed to deploy and maintain a DNSSEC-enabled zone.

Is there a mailing list?

Not for the SNIP, but there is a general USG DNS administrator's mailing list "gov-dns@nist.gov". Membership is restricted to government employees (Federal, state and local) and contractors directly supporting a .gov deployment. To join, send an email message to gov-dns-request@nist.gov

Where do I find a secondary for my zone?

In order to best understand how to perform secure zone transfers, it is best if participants have at least one secondary for their pilot zone. Ideally, this secondary should exist in another organization for better reliability of the zone. SNIP will assist in matching up participants to act as secondaries for each other, or if unable, may secondary some zones on additional SNIP servers.

Participants are encouraged to find and negotiate serving secondaries with other SNIP (now HAD) participants (or even other DNSSEC pilot domains). Contact the SNIP administrators for more details.


Do I have to use my real zone?

No. A SNIP/HAD participants is encouraged to have a minimal zone as necessary to gain experience using DNSSEC. That does not require a mirror of an agencies operational public DNS zone. Only a brief collection of resource records (that may not even indicate actual hosts on the Internet). Participants are free to mirror as much as their real zone as they wish (for example, including aliases to, or the real names/IP addresses of web servers) to fully test their SNIP delegation.

Does the SNIP have an IPv6 connection?

Yes, via NIST.

Where can I get the SNIP public key?

You really don't need it. DNSSEC works by building off of the existing hierarchy of DNS. The SNIP zone (dnsops.gov) has a secure link from .gov, which has a secure link from the DNS root zone. If you get the root zone key and install it in your validator you can validate any response from dnsops.gov.


Questions or comments should be sent to the HAD pilot admin

NIST is an agency of the U.S. Department of Commerce.

Privacy policy / security notice / accessibility statement / Disclaimer / Freedom of Information Act (FOIA) / Environmental Policy Statement / No Fear Act Policy / NIST Information Quality Standards / Scientific Integrity Summary

Date created 04/05/2012. Last updated 05/06/2015.