Mark Weatherford, chief information security officer, California Mark Weatherford, chief information security officer, California Photo courtesy of Mark Weatherford

I don't typically delve into technical issues in this column, but this month I'm going to take a shallow dive because there's an important issue that I think government CIOs, especially state CIOs, need to begin planning for: Domain Name System Security Extensions (DNSSEC). Most CIOs are somewhat familiar with the original Domain Name System (DNS), but the DNSSEC creates some complications, so in less than 700 words I'm going to explain why you should care about it.

Let's start with the DNS. According to Wikipedia, the DNS is a "hierarchical naming system for computers, services or any resource connected to the Internet or a private network." In simpler terms, the DNS is the translator between a very scary looking IP address like 134.186.200.20 and the fully qualified domain name of www.ca.gov. The Internet doesn't work without the DNS. Unfortunately when the DNS was developed in 1983, security controls weren't built in and over the years, serious security flaws have been discovered resulting in numerous changes. Most recently, researcher Dan Kaminsky discovered a major flaw in the DNS that allowed cache-poisoning attacks, which essentially deceives a DNS server into believing it has received legitimate data when it may actually be fraudulent.

One of the biggest changes to the DNS is DNSSEC, which adds security controls to the original protocol. Specifically the DNSSEC provides additional extensions to the original DNS protocol that allows for origin authentication of the DNS data, data integrity and authenticated denial of existence. In simple terms, the DNSSEC thwarts spoofing attacks by allowing websites to validate domain names and the associated IP addresses using digital signatures and public-key encryption. This mitigates the threat of bad guys hijacking your Web traffic and redirecting it to fake sites to carry out their dastardly deeds. Citizens and other users of government website services would rightfully consider this unacceptable.

The DNSSEC must be complicated right? To a certain degree it is, but it's also becoming easier because as more public- and private-sector organizations implement the DNSSEC, the tools, services and procedures become more routine and understood. The U.S. Office of Management and Budget issued a directive in 2008 that the federal government would deploy the DNSSEC to the top-level .gov domain by January 2009 and that all subdomains under .gov -- such as the U.S. Department of Agriculture at www.usda.gov -- would be signed by December 2009.

"DNSSEC changes things," Kaminsky said. "It fuses the canonical, delegated, foundational technology of DNS with a strong cryptographic base. Scalable security? It's coming to those who can host secure DNS records."

The transition to the DNSSEC won't be completely painless and without cost, but it will be worth it in the security and efficiencies it brings. While most of the expense in the DNSSEC deployment is establishing procedures and software for key management, it also will require an investment in training so a proactive DNSSEC migration campaign is a good idea. The key management issue with the DNSSEC is solved, but it will require a new skill level for the DNS administrators.

CIOs should begin by determining the location of their DNS servers and what's on them. This will not be as easy as it sounds and certainly not a trivial undertaking. If you think I'm overdramatizing, just call your enterprise DNS administrator and ask him or her where all the DNS servers in your enterprise are located, who manages them and what other applications or services are running on the servers. My bet is you'll get some foot shuffling, stuttering and "I'm not sure" answers. That's because it's a complicated question and they don't necessarily own or manage all the DNS servers in your environment.

Patrick McGuire, California's deputy chief information security officer, said it best: "DNSSEC provides citizens an assurance their transaction is with an authenticated website. Whether they are filing taxes or paying a vehicle registration, citizens need to know the confidential and sensitive data they enter into a Web form is actually hosted on a government-controlled system. DNSSEC gives that assurance."

For those of us in the public sector, the DNSSEC is a game changer that we can't afford to miss.

 

Mark Weatherford  |  Contributing Writer

Mark Weatherford is the former chief information security officer of California. Weatherford now serves as vice president and chief security officer for the North American Electric Reliability Corp., an  organization whose mission is to ensure the reliability of the bulk power system of North America.