Disclaimer: Any mention of commercial products within NIST web pages is for information only; it does not imply recommendation or endorsement by NIST.

Machine GearsISC Inc Logo Banner

Internet Software Consortium (ISC)

Internet Systems Consortium, Inc. (ISC) is a nonprofit 501(c)(3) public benefit corporation dedicated to supporting the infrastructure of the universal connected self-organizing Internet ”and the autonomy of its participants” by developing and maintaining core production quality software, protocols, and operations. ISC is the developer of the BIND DNS server implementation.

The Berkeley Internet Name Domain (BIND) is the primary authoritative DNS server software used for the dnsops.gov and dnsops.biz zones. BIND is an open source DNS implementation that can operate as an authoritative or recursive caching name server. This includes DNSSEC functionality: A BIND server can act as a DNSSEC-aware authoritative server or a recursive validating resolver.

BIND is the most widely used DNS implementation, and some other implementations have been based on BIND's core architecture. Most of the examples in SNIP guides are written with BIND operation in mind.

How is BIND being used on the SNIP?

The authoritative servers for dnsops.biz and dnsops.gov run the latest official release of BIND. The BIND servers are installed and configured according to the guidance in NIST Special Publication 800-81. The examples in NIST SP 800-81 use the BIND configuration file format and BIND utilities. DNS administrators should consult the individual sections in NIST SP 800-81 on how to meet individual checklist items using the utilities and features in BIND.

Separation of Signing and Serving

When the SNIP was first established, the key generation and zone signing was done on a separate machine from the authoritative server, as recommended in NIST SP 800-81. Currently, the signing keys are still maintained separately, but the dnssec-tools package is used to generate keys and sign the zone.

Does the SNIP follow the guide exactly?

The SNIP guide follows all the recommendations that make sense for the pilot deployment. The NIST SP 800-81 guide only provides recommendations for common deployments. Individual organizations should consider which recommendations would provide good security for their DNS systems and which recommendations would not improve security on their network.

DNSSEC Deployment Initiative logo Questions or comments should be sent to SNIP admins.

NIST is an agency of the U.S. Department of Commerce. Privacy policy / security notice / accessibility statement / Disclaimer / Freedom of Information Act (FOIA) / No Fear Act Data
Date created 6/2/2008. Last updated 8/12/2010.

Website accessibility rating Section 508 approved by section508.info