Last updated 16/06/2008. Questions
or comments should be sent to snip-admin@antd.nist.gov
"SNIP" stands for Secure Naming Infrastructure Pilot. As the name implies, it is a pilot program for deploying DNSSEC on a wide scale. The ultimate goal of the pilot is transition the SNIP pilot domain operations to the .gov TLD domain. In effect, SNIP is a distributed DNSSEC deployment workshop where new operations can be developed and tested before wide scale deployment on operational DNS zones.
"DNSSEC" is the DNS Security Extensions and comprises a set of new DNS Resource Records (RRs) and protocol operations to add origin authentication and data integrity to DNS data in responses. It was developed as an open standard in the IETF and deployment has begun on a number of DNS zones. DNSSEC adds digital signatures to DNSSEC data in responses that can be validated by clients using public keys associated with a particular zone. The DNSSEC was designed primarily to protect clients and caches against redirection and cache poisoning attacks.
"FISMA" stands for Federal Information Security Management Act (PDF file) and is the primary set of regulations regarding the implementation of various information security measures on IT systems used by the US Federal Government. FISMA classifies all Federal IT systems into 3 categories of severity based on importance: Low, Medium, and High. IT administrators must then deploy a range of IT security controls for each system based on which category a system is placed. The document that lays out the classification levels and means is FIPS 199 and NIST Special Publication 800-53r1 contains the security controls for each security classification.
FISMA applies to all US federal agencies. If you are unsure of your FISMA status, please ask your organization's compliance officer or the Office of Management and Budget (OMB) for guidance.
The core specifications of DNSSEC are RFC4033RFC4034 and RFC4035. More information, tutorials, and training material can be found at DNSSEC.NET, a good clearing house for general DNS related information. In addition, there is also NIST Special Publication 800-81, which is aimed at general DNS Security (as well as DNSSEC) deployment for federal agencies. NIST SP 800-81 is part of the supplemental guidance documentation for DNS related FISMA controls.
Currently, there are several open source and commercial DNS server implementations that understand DNSSEC. The most popular is BIND, maintained by ISC but there is also NSD maintained by NLNet Labs. BIND supports both authoritative and caching servers, while NSD is authoritative only.
Commercially, Nominum's ANS supports DNSSEC and is currently available. Microsoft has announced that DNSSEC will be integrated into its Longhorn server release.
This is not an exhaustive list of DNSSEC capable software. More information can be found on The DNSSEC Deployment Initiative's software tracker
Note that DNSSEC tool development is in a state of constant flux. This is by no means an exhaustive list of available tools.
Good places to start finding DNSSEC-enabled tools is the DNSSEC Deployment Initiative's software tracker and DNSSEC.NET. These sites attempt to keep an up to date catelog of current DNSSEC implementations and tools. In addition, Sparta Ince maintains DNSSEC-tools.org, a collection of administrative tools and DNSSEC enabled plug-ins to popular Internet utilities.
There is currently no formal procedure for joining. Simply send an email to the SNIP administrators and they will get in touch with you about participation. Delegations will be granted to any federal agency that wishes to deploy and maintain a DNSSEC enabled zone. Assistance beyond a simple delegation is also available, but may require additional time based on the resources available.
No. There is no requirement for any federal agency to join the SNIP program. It is only to be used for DNS administrators from US Federal agencies that would like a temporary, but live, namespace in order to test DNSSEC deployment and new operations within their own agency. If an agency feels confident to deploy DNSSEC without participating, or the FISMA controls regarding DNSSEC do not apply to their systems, they do not need to participate. However, we would still be willing to assist federal agnecies deploy DNSSEC even if they choose not to use the SNIP program namespace.
No. The GSA policy on awarding .gov delegations describes who and who does not qualify for a dnsops.gov domain registration. For all other participants, there is the dnsops.biz delegation. Both zones are operated by the SNIP team and will both be used in conducting experiments.
It is hoped that participants will mirror their current DNS infrastructure as much as possible, but a the base minimum, systems capable of acting as a DNS server and DNSSEC-capable server software. Since the SNIP is a pilot, it is not necessary to mirror the real infrastructure one for one, but just enough to gain experience with the new procedures and tools needed to deploy DNSSEC.
In the case where an organization wishing to participate cannot provide all of the resources necessary to operate a delegation in the SNIP program, the SNIP team is willing to work with the organization and provide whatever assistance is necessary. However, the SNIP is not a hosting service and the participants are expected to perform the operations needed to deploy and maintain a DNSSEC-enabled zone.
Yes. To subscribe, visit the dnsops mailing list administration page. Membership is moderator-approved. Use the SNIP administrators email address to send messages to the SNIP admin staff only.
In order to best understand how to perform secure zone transfers, it is best if participants have at least one secondary for their pilot zone. Ideally, this secondary should exist in another organization for better reliablity of the zone. SNIP will assist in matching up participants to act as secondaries for each other, or if unable, may secondary some zones on additional SNIP servers.
Participants are encouraged to find and negotiate serving secondaries with other SNIP participants (or even other DNSSEC pilot domains). The SNIP mailing list is a good place to start looking.
Because the FISMA controls are to be enforced on a set schedule, the SNIP program will not be useful after a certain date as a test domain for agencies needing to deploy DNSSEC in order to meet reporting deadlines. It is expected that the SNIP will remain active for 1-2 years in order to assist in DNSSEC deployment in the .gov domain. The dnsops.gov domain will be retired at that time, but tools and the SNIP community will remain active to assist in DNSSEC deployment in the US Federal government. Currently, the termination date for the SNIP domain will be scheduled near the end of 2008.
No. A SNIP participate is encouraged to have a minimal zone as necessary to gain experience using DNSSEC. That does not require a mirror of an agencies operational public DNS zone. Only a brief collection of resource records (that may not even indicate actual hosts on the Internet). Participants are free to mirror as much as their real zone as they wish (for example, including aliases to, or the real names/IP addresses of web servers) to fully test their SNIP delegation.
NIST has recently been able to obtain limited connectivity to Internet2. SNIP hopes to cooperate with ongoing Where are the SNIP secondaries?
Current, the SNIP is a partnership between the NIST DNSSEC project and Sparta Inc, both under the Department of Homeland Security's DNS Security deployment project. All zone transfers are protected using TSIG authenticated transactions as described in NIST SP 800-81
The primary authoritative server is located at NIST, with Sparta operating a secondary. A second primary authoritative server is operated in NIST's Internet2 connection, which is a physically separated network at NIST and requires the server to act as a primary authoritative server instead of a secondary.
A copy of the SNIP public key can be found here. It is in a format suitable to be added into a BIND configuration file "trusted-key" statement block.
There are no current processes to automate public key uploading at this time. Please send an email to the SNIP administrators and we can accept a delegation's public key and add a signed Delegation Signer (DS) RR to the delegation.
Last updated 16/06/2008. Questions
or comments should be sent to snip-admin@antd.nist.gov