DNS) Deployment Guide
Total Page:16
File Type:pdf, Size:1020Kb
Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-81 Revision 1 Title: Secure Domain Name System (DNS) Deployment Guide Publication Date(s): April 2010 Withdrawal Date: September 2013 Withdrawal Note: SP 800-81 Revision 1 is superseded in its entirety by the publication of SP 800-81-2 (September 2013). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-81-2 Title: Secure Domain Name System (DNS) Deployment Guide Author(s): Ramaswamy Chandramouli, Scott Rose Publication Date(s): September 2013 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-81-2 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-81-2 (as of August 7, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal N/A announcement (link): Date updated: ƵŐƵƐƚϳ, 2015 Special Publication 800-81r1 Sponsored by the Department of Homeland Security Secure Domain Name System (DNS) Deployment Guide Recommendations of the National Institute of Standards and Technology Ramaswamy Chandramouli Scott Rose i NIST Special Publication 800-81r1 Secure Domain Name System (DNS) Deployment Guide Sponsored by the Department of Homeland Security Recommendations of the National Institute of Standards and Technology Ramaswamy Chandramouli Scott Rose C O M P U T E R S E C U R I T Y Computer Security Division/Advanced Network Technologies Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 April 2010 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Director i SECURE DOMAIN NAME SYSTEM (DNS) DEPLOYMENT GUIDE Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. ii SECURE DOMAIN NAME SYSTEM (DNS) DEPLOYMENT GUIDE Acknowledgements The authors, Ramaswamy Chandramouli and Scott Rose of the National Institute of Standards and Technology (NIST), wish to thank their colleagues who reviewed drafts of this document. Special thanks are due for some members of Government DNSSEC working Group who provided useful feedback and pointers to some of the documents referred to in this document. We also thank Tim Grance, program manager of the Cyber and Network Security program and Doug Montgomery of the Advanced Network Technologies Division for their leadership and guidance throughout this project. Last but not the least, we are grateful to Douglas Maughan of the Department of Homeland Security for the sponsorship of this effort. The authors would also like to thank those that provided valuable feedback on the original revision of this Special Publication. iii SECURE DOMAIN NAME SYSTEM (DNS) DEPLOYMENT GUIDE Table of Contents Executive Summary....................................................................................................................1 Changes in this Document.........................................................................................................4 1. Introduction .......................................................................................................................1-1 1.1 Authority...................................................................................................................1-1 1.2 Purpose and Scope..................................................................................................1-1 1.3 Audience ..................................................................................................................1-1 1.4 Document Structure .................................................................................................1-2 2. Securing Domain Name System......................................................................................2-1 2.1 What is the Domain Name System (DNS)? .............................................................2-1 2.2 DNS Infrastructure ...................................................................................................2-2 2.3 DNS Components and Security Objectives .............................................................2-6 2.4 Focus of the Document............................................................................................2-6 3. DNS Data and DNS Software............................................................................................3-1 3.1 Zone File ..................................................................................................................3-1 3.2 Name Servers ..........................................................................................................3-1 3.2.1 Authoritative Name Servers .........................................................................3-2 3.2.2 Caching Name Servers ................................................................................3-2 3.3 Resolvers .................................................................................................................3-2 4. DNS Transactions .............................................................................................................4-3 4.1 DNS Query/Response..............................................................................................4-3 4.2 Zone Transfer...........................................................................................................4-3 4.3 Dynamic Updates.....................................................................................................4-4 4.4 DNS NOTIFY ...........................................................................................................4-5 5. DNS Hosting Environment—Threats, Security Objectives, and Protection Approaches 5-1 5.1 Host Platform Threats ..............................................................................................5-1 5.2 DNS Software Threats .............................................................................................5-2 5.3 Threats Due to DNS Data Contents.........................................................................5-2 5.4 Security Objectives ..................................................................................................5-3 5.5 Host Platform Protection Approach..........................................................................5-3 5.6 DNS Software Protection Approach.........................................................................5-3 5.7 DNS Data Content Control – Protection Approach ..................................................5-3 6. DNS Transa ctions—Threats, Security Objectives, and Protection Approaches ........6-1 6.1 DNS Query/ Response Threats and Protection Approaches ....................................6-1 6.1.1 Forged or Bogus Response .........................................................................6-1 6.1.2 Removal of Some RRs.................................................................................6-2 6.1.3 Incorrect Expansion Rules Applied to Wildcard RRs....................................6-2 6.1.4 Protection Approach for DNS Query/Response Threats—DNSSEC ...........6-2 6.2 Zone Transfer Threats and Protection Approaches .................................................6-4 6.3 Dynamic Updates Threats and Protection Approaches ...........................................6-4 6.4 DNS NOTIFY Threats and Protection Approaches..................................................6-5 6.5 Threats Summary.....................................................................................................6-5 iv SECURE DOMAIN NAME SYSTEM (DNS) DEPLOYMENT GUIDE 7. Guidelines for Securing DNS Hosting Environment......................................................7-1 7.1 Securing DNS Host Platform....................................................................................7-1 7.2 Securing DNS Software ...........................................................................................7-1 7.2.1 Running the Latest Version of Name Server Software.................................7-1 7.2.2 Turning