This is a page containing various papers, publications and presentations produced by NIST about the SNIP project, DNSSEC and how DNSSEC is used/mandated within the US Federal Government. This page will be updated with new material when available.
Special Publication 800-81: Secure Domain Name System
(DNS) Deployment Guide:
This Special Publication is aimed to provide guidance and recommendations for US Federal zone administrators, but contains information and best common practices that could apply to all DNS zone administrators. SP 800-81r1 is not a official regulation in itself, but is used as a reference in NIST SP 800-53 (the FISMA controls). There is also the following unofficial supplemental material:
Unofficial Errata for SP 800-81-1 (constantly updated).
Mapping NIST SP 800-81r1 Checklist Items to DISA DNS Configuration Checklist (and FISMA controls) (PDF)
Tips on meeting NIST SP 800-81 Checklist Items using:
NIST Special Publication 800-57 Part 3: Recommendations for Key Management Application Specific Guidance.
Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 3 provides guidance when using cryptographic features of current systems and provides guidance for system procurement, system installers, administrators and end users.
R. Chandramouli and S. Rose, "Open
Issues in Secure Domain Name System Deployment" (PDF)
IEEE Security and Privacy Sept/Oct 2009.
S. Rose and A. Nakassis. "Minimizing Information Leakage in the DNS" (PDF) IEEE Network, March/April 2008.
R. Chandramouli and S. Rose, "Challenges in Securing the Domain Name System" (PDF) IEEE Security and Privacy Jan/Feb 2006.
R. Chandramouli and S. Rose, "An Integrity Verification Scheme for DNS Zone file based on Security Impact Analysis" (PDF) 21st Annual Computer Security Applications Conference, Nov. 2005.
R. Arends, R. Austein, M. Larson, D. Massey,
and S. Rose, "DNS Security Introduction and Requirements",
4033, March 2005.
R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005.
R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005.
S. Rose and W. Wijngaards. "Update to DNAME Redirection in the DNS" RFC 6672
S. Rose. "Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry" RFC 6944.
S. Crocker and S. Rose "Signaling Cryptographic Algorithm Understanding in DNSSEC" RFC 6975
The following are some past presentations
and material from other presentations. Feel free to use this
material as needed in producing your own in house training/briefing.
Given the rapid pace of deployment, some of this material may be out
of date or supersceeded by new material. Please take that into
consideration before reading and be sure to consult the latest news
and documentation about DNSSEC.
Basic DNSSEC briefings:
High-level (PDF): Aimed at non-DNS experts with limited technical knowledge. Covers the basics of DNSSEC such as what it provides, how it works (at a high level) and basic deployment history.
Lower-level (PDF): Aimed at a technical audience who may know the basics of DNS. Goes into greater detail about how DNSSEC works.
FISC Presentation (PDF): Originally presented June 3rd, 2009 at the Federal Information Security Conference in Colorado Springs CO. General DNSSEC overview with lessons learned in early deployments.
JointTechs Winter 2011 DNSSEC tutorial (PDF): Aimed at admnistrators and those with basic DNS knowledge. A quick overview of DNSSEC and how DNSSEC works. Originally give at the JointTechs Winter 2011 meeting.
DNSSEC Workshop Course (PDF): Aimed at admnistrators and those with advanced DNS knowledge. An in-depth training course with hands-on portions for generating a signed zone and configuring a BIND server to be DNSSEC-aware.
Secure Naming Infrastructure Pilot (SNIP) briefing:
SNIP-Testbed (PDF): Originally presented March 12th, 2009 GovSec conference. Overview of the Secure Naming Infrastructure Pilot, what it provides and how to participate.
DNSSEC and FISMA:
FOSE 2011 Presentation (PDF): Originally presented at the 2011 FOSE conference. Does not cover FISMA in general, but calls out the DNS related FISMA controls found in NIST SP 800-53.
Secure64 "DNSSEC Declassified" Seminar Presentation (PDF): Originally presented July 27th, 2010 at Secure64 sponsored event. Contains same material as the FOSE presentation, with a general (very) high level overview of FISMA. Presentation also contains some lessons learned from early .gov deploymements and the current status of DNSSEC in the .gov domain.
DHS Cybersecurity Conference and Workshop (PDF) Originally presented Oct. 5th, 2011 at the DHS Cybersecurity Conference and Workshop in Baltimore MD. This presentation provides some data on the continuous monitoring program by DHS FNS of DNSSEC deployment within the US Federal government.
What to Ask Vendors About DNSSEC (PDF): Originally presented March 12th, 2009 GovSec conference. Contains a list of questions network administrators should have in mind when considering DNSSEC products or services for their enterprise.
While not strictly speaking documents, the following software packages are from the original NIST DNSSEC project page. These software packages are no longer fully supported, but the SNIP admins are available to answer some questions:
Anonymizer Tool v1.0 (Java)
Secure Zone Integrity Checker v1.2 (Java tar file)
Secure Zone Integrity Checker v1.2 (Java .zip file)
NIST Traffic Capture Tool (C - requires libpcap and libpthread)
NIST QuerySim DNS Workload Simulation tool Version 0.9.2
Traffic monitoring Tool (requires libpacp and libpthread)
Questions or comments should be sent to the SNIP admin
NIST is an agency of the U.S. Department of Commerce.
Date created 04/05/2012. Last updated 10/22/2013.