Any mention of commercial products within NIST web pages is for information only; it does not imply recommendation or endorsement by NIST.


National Institute of Standards and Technology

Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

NIST has been involved with DNSSEC deployment for many years. Both in developing the core protocol specification, test and measurement of DNSSEC impact on server performance, and helping develop guidance for DNS administrators using DNSSEC. The driving force behind the creation of the SNIP project is the new Federal Information Security Management Act (FISMA); a set of security controls that all federal agencies must implement. One of the new controls is the deployment of DNSSEC to zone information in the .gov domain.

NIST operates the primary authoritative servers for dnsops.gov and dnsops.biz. NIST has also produced NIST Special Publication 800-81: Secure Domain Name System (DNS) Deployment Guide as well as an online tool to test conformance.

How is the SNIP using the NIST tools?

The NIST tools are being used to monitor the "health" of the dnsops.gov and dnsops.biz domain trees. A modified version of the NIST Secure Zone Integrity Tester (SZIT) runs a series of tests on the dnsops.gov, dnsops.biz and all delegations daily. The results are published on a separate page as well as the trust anchor for every zone monitored. New delegations are automatically found when the dnsops.gov/biz zone files are checked and added to the list of zones monitored by the tool.

There are other small tools used with the SNIP administration. Most of these are small scripts used for trivial tasks and are custom to the SNIP environment.

NIST also produced the Special Publication 800-81: Domain Name System (DNS) Security Recommendations. NIST SP 800-81 provides a list of recommendations and examples for operating a DNS authoritative server in a secure manner. The primary authoritative servers are configured in accordance to the recommendations in this guide.

How closely SNIP follow the guide?

The SNIP guide follows all the recommendations that make sense for the pilot deployment. The NIST SP 800-81 guide only provides recommendations for common deployments. Individual organizations should consider which recommendations would provide good security for their DNS systems and which recommendations would not improve security on their network.

DNSSEC Deployment Initiative logo Questions or comments should be sent to SNIP admins.

NIST is an agency of the U.S. Department of Commerce. Privacy policy / security notice / accessibility statement / Disclaimer / Freedom of Information Act (FOIA) / No Fear Act Data
Date created 6/2/2008. Last updated 9/10/2009.

Website accessibility rating Section 508 approved by section508.info