By William Jackson
July 23, 2009
The Energy Department has started implementing Domain Name System
Security Extensions on its high-performance Energy Sciences Network
(ESnet), using a commercial appliance to digitally sign DNS records and
manage cryptographic keys.
The first zones on the network were signed July 8 and it will be at
least another month before necessary software updates and testing are
completed, and signed records can be published, said R. Kevin Oberman, a
network engineer at DOE.s Lawrence Berkeley National Laboratory.
"We're just getting it cranked up now," Oberman said. "Thus far,
everything is working perfectly."
DNSSEC is a set of protocols for digitally signing records used by the
DNS to translate numerical IP addresses into commonly used domain names.
Because DNS transactions underlie most activity on the Internet,
assuring the authenticity of this information is crucial to security.
The .gov top-level domain was digitally signed in February, and the
Office of Management and Budget is requiring agencies to sign
second-tier domains within .gov by the end of the year.
ESnet is a network with a 100 gigbits/sec backbone that is used
primarily for scientific research. Although the DOE runs the network,
its domains are in the .net and .org top-level domains rather than .gov,
so the department was not required to sign its records by the OMB
mandate. Oberman said the decision to implement DNSSEC was to gain
practical experience. OMB also is expected to expand its mandate to
include government networks that are outside of .gov.
Attend Black Hat USA, July 25-30 in Las Vegas,
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com