[dns-operations] DNSSEC misconfiguration (fwd)

Donelan, Sean Sean.Donelan at dhs.gov
Sat Jul 31 01:44:41 UTC 2010

>> I do hope that as GOV evaluates new mandates and best practices, they
>> include provisions for eating your own dog food.  Requiring .GOVs to
>> validation on their recursors and validate their own zones would have
>> gone a long way to reducing these sorts of problems.  Or, at least it
>> would have spread the pain.
>We have best practices and guidance docs that (apparently) no one reads
>now, so more won't help.  I have heard that someone with more
>authority will be checking for compliance within .gov and validation
>be pushed down in future FISMA revisions (making it mandatory as well).

Scott is probably referring to our group, the new assistant deputy FISMA
cat herders :-)  It also shows, be careful what you ask for, because
all you are going to get and it will take years for agencies to change

I'm updating the compliance checklists for the next version of Trusted
Internet Connections (TIC 2.0).  It includes some DNS/DNSSEC
and a reference appendix on DNS/DNSSEC.  NIST best practices and
documents are still what agencies follow, we just select a few items for
the compliance review process.

It's not ready for public review, but we were accepting inter-agency
The deadline for inter-agency comments was July 16, 2010; but it's never
late for good ideas.

If you are a US Federal agency (a .GOV or .MIL e-mail address required
to login), please review the TIC 2.0 updates and capability checklists

Sean Donelan
Federal Network Security
US Dept of Homeland Security

More information about the dns-operations mailing list