US Government Moves Fast on DNSsec

I honestly didn’t think I would live to see it, and this interview with Mockapetris about DNSsec adoption didn’t help.

$ dig +dnssec president.gov

; <<>> DiG 9.3.5-P1 <<>> +dnssec president.gov
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33216
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;president.gov.                 IN      A

;; AUTHORITY SECTION:
gov.                    10800   IN      SOA     A.GOV.ZONEEDIT.COM. govcontact.ZONEEDIT.COM. 1226785404 3600 900 1814400 86400
gov.                    10800   IN      RRSIG   SOA 5 1 259200 20081215220741 20081115220741 45162 gov.
    UREQjZUJ9/40y/kZytGcBX0jonfNf/yiu0XKDHlVWeKjLkOFqqwY9cf2 gON/ThzPpWRF7aJyo785PQDhYttg5cjDfSF0GKKhsnNcZjYC3u1nluH6
    noQVYGsQ7MpZrNiQnbzg83I4a8z5DIdj1rksaQddAMmR2kIsB0Jh3Duj zq6tfmCcqyQVxzXPUO9rhq87yuYM9gEttm+zlyqBO+TZrykd5u0OMIXK
    YNHchhYX/KYebwfgUq0jo4AZRyVx8fVNu0WXsedjLMtByokwI26u5TpU DsfDUYabOXWjXn40Dg5Se9msQUzKBXgFZEHTCBQ8N9JN9Z9gM+pY5JO5 7mNDvg==
gov.                    10800   IN      NSEC    2010CENSUSJOBS.gov. NS SOA RRSIG NSEC DNSKEY
gov.                    10800   IN      RRSIG   NSEC 5 1 86400 20081215220741 20081115220741 45162 gov.
    s5iu9X5tFvRZCZqkayZbbAXQfSi3Kjj8sh4qyFdDnIqXKXLB/fFRH2rw 2E3QDFLE6mLRbfvwJzJ16xwrtUuVliUK0H0ktP3jU03zcYcK8nRjtsn7
    jPTmD+qcaXc1lbGzdi2srTKrPAqbVdetBQgQ9rDV+ZPMzcUZ5LUqcOVe tqgKGiKbB2xGEZySK0R+dyAmPkhhlcyqpfJtYcyd+nTP2XJ5EqRM9S14
    8A1vb0zZgJwrBaJNEOZL9ZHSyWLRiCqlegu4qyDnVWBC2uKB8Nkwdl9a RR7IgZ4D4K2vgbqprk7U7G+xSp8CMVfK4wAgTVM7MG23U0R3PndrS217 rQa2KQ==
PRESERVEAMERICA.gov.    10800   IN      NSEC    PRESIDENTIALSERVICEAWARDS.gov. NS RRSIG NSEC
PRESERVEAMERICA.gov.    10800   IN      RRSIG   NSEC 5 2 86400 20081215220741 20081115220741 45162 gov.
    U7zNw6u1syRBTv9uuU2mFEBANbCkJuVNprtU/K0rn3NgCmlt5MNQPKmV oobpjqfoolqPIPeU5TgM3L+CokDvhSXzuM8pmwQwlqD0l/oH3JE5K3zT
    kLsevS2piYeotJAPE4mWl4wZgAkSwuHluwaOqVhjGL6nU01ide5q45HQ lDgjpcTe4VHh38szXOoBNMCDTD6+nvpguniULV6gWj6Cat2cp6vetZc8
    xnxhUXcCBgZbU5Qx876bDy3m1KIoc2A7kgWCDuEuvurvQjXR8UCijigf pIAtVGrXZMOg+TNOk+5eIY/B4oOOY1bdAZHwvVD223BOO8QLdyHycT8S oh8oJA==

;; Query time: 106 msec
;; SERVER: 10.1.2.41#53(10.1.2.41)
;; WHEN: Mon Nov 17 15:40:42 2008
;; MSG SIZE  rcvd: 1088

I know that EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET Memo M-08-23, dated August 22, 2008, stated:

The Federal Government will deploy DNSSEC to the top level .gov domain by January 2009. The top level .gov domain includes the registrar, registry, and DNS server operations. This policy requires that the top level .gov domain will be DNSSEC signed and processes to enable secure delegated sub-domains will be developed. Signing the top level .gov domain is a critical procedure necessary for broad deployment of DNSSEC, increases the utility of DNSSEC, and simplifies lower level deployment by agencies

But I did not expect to have “dig +dnssec” showing me that the .gov root was signed working before, well, December 2009.

Hats off to the folks involved in getting this moving ahead very swiftly.

You can follow this project’s progress at the FISMA website.

3 Responses to “US Government Moves Fast on DNSsec”

November 18, 2008 at 5:31 pm, Interesting Information Security Bits for 11/18/2008 at Infosec Ramblings said:

[…] Looks like the U.S. government is crackin’ on implementing DNSSEC. US Government Moves Fast on DNSsec | Security to the Core | Arbor Networks Security […]

November 22, 2008 at 8:45 pm, Richard Bejtlich said:

Why is this not working for me?

$ dig +dnssec president.gov

; <> DiG 9.4.2-P2 <> +dnssec president.gov
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4985
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280
;; QUESTION SECTION:
;president.gov. IN A

;; AUTHORITY SECTION:
gov. 900 IN SOA A.GOV.ZONEEDIT.COM. govcontact.ZONEEDIT.COM. 1227391264 3600 900 1814400 86400

;; Query time: 43 msec
;; SERVER: 172.16.2.1#53(172.16.2.1)
;; WHEN: Sat Nov 22 19:28:46 2008
;; MSG SIZE rcvd: 107

November 22, 2008 at 9:00 pm, Jose Nazario said:

interesting, richard, it stopped working for me, too. i wonder what happened …

Comments are closed.