ESnet Gets a Jump on Implementing DNS Security

The Department of Energy (DOE) has finished implementing Domain Name System Security Extensions (DNSSEC) to its high-performance Energy Sciences Network (ESnet) using a commercial appliance to digitally sign Domain Name System records and manage cryptographic keys. The signed records were published last month, in December 2009, ahead of a mandate from the U.S. Office of Management and Budget (OMB) requiring government networks outside of the .gov domain to do so.

In August of 2008 the OMB required that all top-level .gov domain be signed by February 2009, while those immediately under the .gov domain had until the end of 2009 to implement DNSSEC. Because ESnet (www.es.net) uses the .net and .org top-level domains, it was not obliged to sign by the OMB mandate. Nevertheless, ESnet decided to go ahead and be in compliance anyway should OMB expand its mandate.

"These days running DNS (Domain Name System) is pretty darn simple. It was much more of a nuts and bolts operation when I started with it years ago. Although DNSSEC is relatively new, I suspect that it will eventually be as simple to manage as today’s DNS system," says Kevin Oberman, the ESnet network engineer who led the effort to implement DNSSEC. "We decided to go with a commercial hardware solution for implementing DNSSEC on ESnet. I wanted it to be an appliance, not a complex, custom system that would require a lot of technical expertise to operate."

DNS is a vital part of the Internet that underlies almost all activities. Like a phonebook, the system translates domain names like www.lbl.gov into IP addresses like 128.3.41.105, associated with that organization’s networking equipment. These numbers enable the network's devices to locate each other and connect on a global scale.

A fundamental design principle of the DNS is that, as a public service to share host names and IP addresses, the original protocol was not designed to restrict access. Unfortunately, this openness contributed to a host of vulnerabilities within the system. As new protocols emerged that used IP addresses and host names as a basis for allowing or barring access, it became even more essential that the information contained within the DNS is accurate; false information could lead to dangerous exposures like client flooding, dynamic update vulnerability, information theft, and the compromise of the DNS server's authoritative database.

Domain Name System Security Extensions (DNSSEC) provide authentication and ensure the integrity of the DNS through the use of cryptographic signatures generated with public key technology. Security-aware servers and resolvers utilize this technology to ensure that the information obtained from a DNS server is authentic and has not been altered. Although digitally signing DNS records is not particularly difficult, managing the process and cryptographic keys securely can be challenging. Several commercial vendors have developed tools to automate this process, and ESnet is using DNS Signer, a dedicated appliance from Secure64 Corp.

"When I started looking into DNSSEC about two years ago, there were only two companies that were supporting this technology. Of the two, Secure64 had the level of hardware and software support that best suited our needs," says Oberman.

The appliances were installed on ESnet in mid-2009, and the first zones were signed upon installation.  Oberman notes that the most complex job was synchronizing two signers, one on each coast, to provide redundancy for the system.

"By the end of 2009, many ESnet connected organizations had to digitally sign their records to comply with the OMB mandate. We wanted to get a head start on learning about signing and getting the procedures down so that we could help them," says Oberman. "When you publish data, you don't get a second chance to correct mistakes."

Funded primarily through DOE's Office of Science, ESnet is the nation's leading high-bandwidth network dedicated entirely to science. The network connects to more than 40 sites conducting DOE-funded research, including some 20 large-scale experimental facilities and large supercomputing centers used by thousands of scientists generating massive amounts of data. One goal of the project is to provide a 100 Gbps link between DOE's largest unclassified supercomputing centers in California, Illinois and Tennessee. Its current network, ESnet4, received a 2009 Excellence.gov award for innovative use of technology from the Industry Advisory Council. The network is managed and operated by the ESnet staff at the Lawrence Berkeley National Laboratory.

Berkeley Lab is a DOE national laboratory located in Berkeley, California. It conducts unclassified scientific research and is managed by the University of California for the DOE Office of Science.