SNIP Document Repository

This is a page containing various papers, publications and presentations produced by NIST about the SNIP project, DNSSEC and how DNSSEC is used/mandated within the US Federal Government.  This page will be updated with new material when available. 

Special Publications

NIST Special Publication 800-81:  Secure Domain Name System (DNS) Deployment Guide: 
This Special Publication is aimed to provide guidance and recommendations for US Federal zone administrators, but contains information and best common practices that could apply to all DNS zone administrators.  SP 800-81r1 is not a official regulation in itself, but is used as a reference in NIST SP 800-53 (the FISMA controls). There is also the following unofficial supplemental material:


NIST Special Publication 800-57 Part 3: Recommendations for Key Management Application Specific Guidance.
Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 3 provides guidance when using cryptographic features of current systems and provides guidance for system procurement, system installers, administrators and end users.

Papers and Articles

R. Chandramouli and S. Rose, "Open Issues in Secure Domain Name System Deployment" (PDF)  IEEE Security and Privacy Sept/Oct 2009.

S. Rose and A. Nakassis.  "Minimizing Information Leakage in the DNS" (PDF) IEEE Network, March/April 2008.

R. Chandramouli and S. Rose, "Challenges in Securing the Domain Name System" (PDF)  IEEE Security and Privacy Jan/Feb 2006.

R. Chandramouli and S. Rose, "An Integrity Verification Scheme for DNS Zone file based on Security Impact Analysis" (PDF) 21st Annual Computer Security Applications Conference, Nov. 2005.



S. Rose, "An Overview of DNSSEC Errors in .gov During the Nov-Dec 2011 Timeframe" Whitepaper looking at DNSSEC errors seen in the Federal .gov space during the holiday period of Nov-Dec, 2011.

Internet Drafts and RFC's

R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005.

R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005.

R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005.

S. Rose and W. Wijngaards.  "Update to DNAME Redirection in the DNS" RFC 6672

S. Rose. "Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry" RFC 6944.

S. Crocker and S. Rose "Signaling Cryptographic Algorithm Understanding in DNSSEC" RFC 6975

Presentations

The following are some past presentations and material from other presentations.  Feel free to use this material as needed in producing your own in house training/briefing.  Given the rapid pace of deployment, some of this material may be out of date or supersceeded by new material.  Please take that into consideration before reading and be sure to consult the latest news and documentation about DNSSEC. 

Basic DNSSEC briefings:
High-level (PDF):  Aimed at non-DNS experts with limited technical knowledge.  Covers the basics of DNSSEC such as what it provides, how it works (at a high level) and basic deployment history.
Lower-level (PDF):  Aimed at a technical audience who may know the basics of DNS.  Goes into greater detail about how DNSSEC works.
FISC Presentation (PDF):  Originally presented June 3rd, 2009 at the Federal Information Security Conference in Colorado Springs CO.  General DNSSEC overview with lessons learned in early deployments.
JointTechs Winter 2011 DNSSEC tutorial (PDF): Aimed at admnistrators and those with basic DNS knowledge. A quick overview of DNSSEC and how DNSSEC works. Originally give at the JointTechs Winter 2011 meeting.
DNSSEC Workshop Course (PDF): Aimed at admnistrators and those with advanced DNS knowledge. An in-depth training course with hands-on portions for generating a signed zone and configuring a BIND server to be DNSSEC-aware.

Secure Naming Infrastructure Pilot (SNIP) briefing:
SNIP-Testbed (PDF):  Originally presented March 12th, 2009 GovSec conference.  Overview of the Secure Naming Infrastructure Pilot, what it provides and how to participate.

DNSSEC and FISMA:
FOSE 2011 Presentation (PDF):  Originally presented at the 2011 FOSE conference.  Does not cover FISMA in general, but calls out the DNS related FISMA controls found in NIST SP 800-53.
Secure64 "DNSSEC Declassified" Seminar Presentation (PDF):  Originally presented July 27th, 2010 at Secure64 sponsored event.  Contains same material as the FOSE presentation, with a general (very) high level overview of FISMA.  Presentation also contains some lessons learned from early .gov deploymements and the current status of DNSSEC in the .gov domain.
DHS Cybersecurity Conference and Workshop (PDF) Originally presented Oct. 5th, 2011 at the DHS Cybersecurity Conference and Workshop in Baltimore MD. This presentation provides some data on the continuous monitoring program by DHS FNS of DNSSEC deployment within the US Federal government.

Other:
What to Ask Vendors About DNSSEC (PDF): Originally presented March 12th, 2009 GovSec conference.  Contains a list of questions network administrators should have in mind when considering DNSSEC products or services for their enterprise. 

Code Downloads

While not strictly speaking documents, the following software packages are from the original NIST DNSSEC project page.  These software packages are no longer fully supported, but the SNIP admins are available to answer some questions:


Questions or comments should be sent to the SNIP admin

NIST is an agency of the U.S. Department of Commerce.

Privacy policy / security notice / accessibility statement / Disclaimer / Freedom of Information Act (FOIA) / Environmental Policy Statement / No Fear Act Policy / NIST Information Quality Standards / Scientific Integrity Summary

Date created 04/05/2012. Last updated 10/22/2013.