80% of gov't Web sites miss DNS security deadline

Most U.S. federal agencies -- including the Department of Homeland Security -- have failed meet a Dec. 31, 2009, deadline to deploy new authentication mechanisms on their Web sites that would prevent hackers from hijacking Web traffic and redirecting it to bogus sites.

Agencies were required to roll out an extra layer of security on their .gov Web sites under an Office of Management and Budget mandate issued in August 2008, although at least one expert calls that year-end deadline "a little aggressive."

Aggressive or not, independent monitoring indicates that only 20% of agencies show signs of deploying the new security mechanism, which is called DNS Security Extensions, or DNSSEC for short.

DNSSEC is an Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

Secure64, a DNS vendor, researched 360 federal agencies to see how many of their Web sites showed signs of digital signatures on their .gov domains.

"We found about 20% of agencies had signatures as of last week," says Mark Beckett, vice president of marketing for Secure64. "Eighty percent don't have any signatures up there. One can speculate about why that is. They may be working on it but haven't pushed the signatures into production yet. All you can tell from the outside looking in is that there's no evidence of progress on the DNSSEC mandate."

"The 20% number is completely believable," says Paul Hoffman, director of the VPN Consortium and an active participant in DNSSEC standardization efforts at the Internet Engineering Task Force. "NIST has been working on DNSSEC, but the individual agency IT departments aren't doing anything. DNSSEC is not a priority."

The Obama administration's failure to meet the cybersecurity deadline comes at a time when dozens of U.S. companies including Google, Yahoo and Adobe have reported cyberattacks by Chinese hackers.

OMB officials declined to say why the agency hasn't enforced the DNSSEC deadline for executive branch departments.

"With specific regard to the encryption of DNS databases, the government is committed to data protection and integrity. The steps taken to date by departments and agencies are being evaluated for their effectiveness," OMB spokesman Tom Gavin said in a statement.

Not everyone sees cause for concern in a missed deadline.

"The OMB deadline was a little aggressive,'' says Steve Crocker, an Internet pioneer who is CEO of Shinkuro, an R&D company engaged in DNSSEC-related work.

"I would take it as a very positive sign that there was any movement at all. What I'm hearing is that of the many, many things that all the federal CIOs are forced to pay attention to, DNSSEC is one that is likely to get attention in 2010," Crocker says.

Crocker says it's realistic for the majority of federal agencies to support DNSSC in their .gov subdomains by the end of 2010.

"Missing the mark by one year is pretty good news in this business,'' Crocker says. "There is a gradual tightening of security going on up and down the Internet protocol stack. DNSSEC isn't the be-all-and-end-all, but it's an important piece. The technical community has been working on DNSSEC for 20 years. The top part of .gov is signed, and now we're seeing the other pieces coming along.''

OMB's DNSSEC mandate applies to executive branch departments and agencies that run .gov Web sites. (The Defense Department's .mil Web sites are exempt.) OMB required that .gov would be cryptographically signed at the top level by Jan. 31, 2009, and that milestone was reached a month later in February 2009.

Individual agencies were required to support DNSSEC in all of their subdomains such as www.irs.gov by Dec. 31, 2009. Agencies that appear to have met this deadline include the Commerce and Interior Departments, while the Treasury Department and the Department of Homeland Security have not.

Once it's fully deployed, DNSSEC will have a broad impact on the U.S. public. That's because it will ensure that citizens who think they are visiting federal Web sites are not redirected elsewhere. For example, citizens who file their taxes online want to be sure that when they type www.irs.gov into their browsers, they go to a Web site operated by the Internal Revenue Service and not a scam artist trying to steal their Social Security numbers.

DNSSEC is a hierarchical system, and it requires authentication at every step in the process of matching a domain name with the corresponding IP address. In order for a user to receive an authenticated response from a government Web site like www.irs.gov, DNSSEC needs to be deployed on the Internet's root servers, the .gov domain servers and the subdomain servers operated by the IRS.

"If everything was DNSSEC enabled, it would make it extremely difficult to forge a DNS response," says Ken Silva, CTO of VeriSign, which is deploying DNSSEC on the Internet's root servers as well as the .com and .net domains. "Having said that, it truly needs to be DNSSEC from end-to-end in order to have an impact."

Hoffman points out that there is marginal value for agencies to deploy DNSSEC until the DNS root is signed, which will happen this summer.

"It's a shame more agencies aren't ready for DNSSEC," Hoffman says. "After the root is signed, those agencies that are ready will be coming up to speed much more quickly than those that are not."

Despite the promise of DNSSEC to improve the trustworthiness of the government's online services, many agencies haven't devoted money or personnel to the DNSSEC mandate, experts say.

Other agencies have run into technical glitches as they've deployed DNSSEC.

"When we go to deploy DNSSEC, sometimes there are networking issues where some part of the network might be getting in the way of the digital signatures or sometimes there are firewall issues," Beckett says, adding that these are normal debugging issues rather than major technical hurdles to DNSSEC deployment.

VeriSign says it has run into some difficulties deploying DNSSEC across the root, .com and .net servers, but nothing worse than it expected.

"We've found some technical roadblocks around network equipment including firewalls and load balancers," Silva says. "We've had some versions of those devices act funny with a packet if it's larger than it was normally expecting to be....That's why it's so important to test your own systems and make sure that DNSSEC is not going to cause any problems."

Beckett says agencies had plenty of time to get all of the testing done and to meet the OMB mandate.

"We had a federal customer who signed those domains in a pilot project in three days," Beckett says. "Agencies can deploy this very quickly."

Many other countries -- including Sweden, Bulgaria and Brazil -- have already deployed DNSSEC on their country code domains.

DNSSEC also is operational on the .org domain, and it will be supported in the .com and .net domains by the end of the year.

"It would be really sad if the U.S. government lagged on DNSSEC, if they didn't believe they had to follow the OMB mandate," Hoffman says. "Our allies are already signing their [country code top level domains.] It would be sad if we fell behind."

Industry observers say the Obama administration's failure to meet the DNSSEC deadline is the result of not focusing enough on cybersecurity issues. As evidence they point to the fact that the president didn't announce the selection of Howard Schmidt as White House cybersecurity coordinator until December 2009.

"There's a lack of leadership throughout the government on cybersecurity," Hoffman says. "It's not just that they haven't had the cybersecurity position filled. It's not clear that the cybersecurity position is going to have any power...And none of the agencies are rapidly moving ahead on their own."

OMB denies this criticism.

"Cybersecurity is a top priority for the Administration," Gavin said in a statement. He added that "agencies are aggressively adopting new tools and technologies to ensure the safety of government information."

The OMB DNSSEC mandate was published after a high-profile flaw in the Internet's Domain Name System -- commonly known as the Kaminsky Bug -- was revealed. DNSSEC is the only long-term fix for preventing Kaminsky-style attacks.

This story, "80% of gov't Web sites miss DNS security deadline" was originally published by Network World.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon