OMB has issued a memo describing existing and new policies for deploying "domain name system security" — DNSSEC — to all federal information systems by December 2009.
DNSSEC provides cryptographic protections to DNS communication exchanges, thereby removing threats of DNS-based attacks and improving the overall integrity and authenticity of information processed over the Internet, according to OMB memo M-08-23.
In December of 2006 the National Institute of Standards and Technology’s issued a special publication, "Recommended Security Controls for Federal Information Systems" prescribing initial DNSSEC deployment steps necessary for FISMA high and moderate impact information systems.
The memo addresses issues in following through with the existing policy and expanding its scope to address all US government information systems, OMB explained.
It said the government would deploy DNSSEC to the top-level .gov domain, including the registrar, registry, and DNS server operations, by January 2009.
The policy requires that the top-level .gov domain will be DNSSEC-signed and calls for the development of processes to enable secure delegated sub-domains.
According to the memo, signing the top-level .gov domain is a necessary step for the broad deployment of DNSSEC, increases the utility of DNSSEC, and simplifies lower-level deployment by agencies.
Agencies are required to develop a plan of action with milestones for the deployment of DNSSEC to all applicable information systems by December 2009, the memo said.
Plans should follow recommendations in another NIST publication, "Secure Domain Name System Deployment Guide," and address the particular requirements described in NIST publication above.
