[dns-operations] DNSSEC misconfiguration (fwd)
Donelan, Sean
Sean.Donelan at dhs.gov
Sat Jul 31 01:44:41 UTC 2010
>> I do hope that as GOV evaluates new mandates and best practices, they
>> include provisions for eating your own dog food. Requiring .GOVs to
run
>> validation on their recursors and validate their own zones would have
>> gone a long way to reducing these sorts of problems. Or, at least it
>> would have spread the pain.
>>
>We have best practices and guidance docs that (apparently) no one reads
>now, so more won't help. I have heard that someone with more
enforcement
>authority will be checking for compliance within .gov and validation
will
>be pushed down in future FISMA revisions (making it mandatory as well).
Scott is probably referring to our group, the new assistant deputy FISMA
cat herders :-) It also shows, be careful what you ask for, because
that's
all you are going to get and it will take years for agencies to change
again.
I'm updating the compliance checklists for the next version of Trusted
Internet Connections (TIC 2.0). It includes some DNS/DNSSEC
capabilities
and a reference appendix on DNS/DNSSEC. NIST best practices and
guidance
documents are still what agencies follow, we just select a few items for
the compliance review process.
It's not ready for public review, but we were accepting inter-agency
comments.
The deadline for inter-agency comments was July 16, 2010; but it's never
too
late for good ideas.
If you are a US Federal agency (a .GOV or .MIL e-mail address required
to login), please review the TIC 2.0 updates and capability checklists
https://max.omb.gov/community/display/Egov/Trusted+Internet+Connections
--
Sean Donelan
Federal Network Security
US Dept of Homeland Security
More information about the dns-operations
mailing list