Deploy360 5 March 2012

NIST To Require US Government Agencies to Validate DNSSEC

By Dan YorkDirector, Internet Technology

NIST LogoOur friends over at the DNSSEC Deployment Initiative have noted today that the US National Institute of Standards and Technology (NIST) has announced proposed changes to the Federal Information Security Management Act (FISMA) controls that include among the many changes two relating to DNSSEC. The critical change is “SC-21” as explained by the DNSSEC Deployment Initiative folks:

SC-21 is changed to require “[t]he information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.”  This means that all Federal systems must either request and validate DNSSEC responses, or have a trusted link to a validator that can provide that service for the system. Control SC-21 is also changed to be required for all security levels (Low, Moderate and High).

Essentially this means that when this is fully implemented all US government systems should be consumers/users of DNSSEC, meaning that they will validate domains if they are signed with DNSSEC.

The article also notes that this new requirement will become official 12 months from the final publication of the NIST document, expected to be July 2012.  The document released last week by NIST is a draft of “Special Publication 800-53 Revision 4” that is open for public comment through April 6, 2012.

It’s great to see this requirement being added to FISMA controls and as it rolls out it will definitely increase the usage and visibility of DNSSEC.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...