- Fully Automated Key Management and Rollover Eliminates Barriers to DNSSEC Adoption
Infoblox Inc. recently announced availability of additional functionality to help organizations simplify deployment of the Domain Name System Security Extensions (DNSSEC), a suite of IETF specifications for securing information provided by DNS.
Many security researchers are expressing growing alarm over the state of DNS security. Security researcher Dan Kaminsky, Director of Penetration Testing at IO Active who exposed the "Kaminsky DNS vulnerability" and is advocating implementation of DNSSEC, commented: "The lack of DNS security not only makes the Internet vulnerable, but is also crippling the scalability of important security technologies.
And, underscoring the importance of DNS security and DNSSEC, implementation of DNSSEC is mandated for U.S. Federal government agencies by the end of December 2009.
However, DNSSEC adoption until recently has been slow, hampered by concerns over the operational complexity associated with provisioning and distributing encryption keys and the overhead required to digitally sign DNS information. Implementing DNSSEC using DNS freeware or general-purpose operating systems requires the execution of numerous, time consuming and error prone steps each time DNS data are added or modified.
Infoblox addresses this with its "one-click DNSSEC" solution that automates the processes of signing and maintaining a signed zone. Key generation is performed automatically using DNSSEC properties specified at the Grid or zone level; resource record signatures are maintained; and, zone signing key rollover occurs seamlessly at the interval specified.
Infoblox also automates the critical process of periodically changing keys, also known as "key rollover", which is essential to ensuring that secure DNS data cannot be compromised. Keys are rolled over automatically according to best practices recommended by the National Institute of Standards and Technology (NIST-800-81) and RFC 4641 standards. DNSSEC records are signed and re-signed automatically each time DNS data are changed. This eliminates dozens of error-prone, manual operations and eliminates the need to write and maintain custom scripts.
Further, configuring a secondary and/or recursive name server for DNSSEC can also be accomplished with a single click. The solution also automates important administrative functions including easy importing of trust anchors.
Infoblox Vice President of Architecture and DNS expert, Cricket Liu, commented: "Addressing the most threatening DNS security concerns requires a globally coordinated effort to deploy DNSSEC. The functionality Infoblox provides in its purpose-built, highly automated solutions helps organizations overcome deployment challenges by eliminating the complex tasks required to support DNSSEC with conventional solutions."
For more information, see http://www.infoblox.com/solutions/dnssec-overview.cfm.