DNSSEC: Federal Requirements

Summary

Status: Required

Domain Name System Security Extensions (DNSSEC) is an extension of the Domain Name System (DNS) that provides integrity and authentication.

DNSSEC is currently required federally for all systems. The current sources of the requirement are Office of Management and Budget (OMB) Circular A-130 (2016) and the security controls in NIST SP 800-53, Revision 5 and the associated baselines in NIST SP 800-53B (controls SC-20 and SC-21, applicable to all systems).

Various online sources incorrectly state that DNSSEC is no longer required due to the 2018 recession of the 2008 OMB memo that originally set deadlines for federal DNSSEC implementation. As of 2024, DNSSEC is still mandated across the federal government.

History

The federal government began requiring DNSSEC in NIST SP 800-53, Revision 1 (2006), which created two controls that functionally required DNSSEC, to some degree, for systems with a security impact level of either high or moderate. In particular, the controls were:

  • SC-20, Secure Name / Address Resolution Service (Authoritative Source), required for systems with an overall security impact level of moderate or high; and
  • SC-21, Secure Name / Address Resolution Service (Recursive or Caching Resolver), required only for systems with an overall security impact level of high.

Referenced as implementing guidance these controls was NIST SP 800-81 (2006), Secure Domain Name System (DNS) Deployment Guide, which provided an overview of securing DNS, with particular emphasis on DNSSEC.1 As federal systems are required to meet the security control baselines provided in NIST SP 800-53, the creation of SC-20 and SC-21 in 2006 functioned as the initial federal DNSSEC requirement.2

In August 2008, the Office of Management and Budget (OMB) provided deadlines for federal DNSSEC adoption through its memorandum M-08-23, Securing the Federal Government’s Domain Name System Infrastructure. This memo restated the existing requirements in NIST SP 800-53, stated that the requirement would be expanded to all federal systems in the next update to NIST SP 800-53, and required that top-level .gov domains deploy DNSSEC by January 2009. Further, agencies were required to develop a plan of action and milestones to deploy DNSSEC agency-wide by December 2009.3

While significant activity regarding DNSSEC implementation occurred from 2009 to 2015, DNSSEC was only again mentioned by OMB in the memorandum M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services, which established an “HTTPS-only” federal standard. DNSSEC was mentioned only in passing, with no changes being made to existing DNSSEC requirements.4

In 2016, OMB reiterated the federal DNSSEC requirement in Circular A-130 (2016):

Ensure that all Federal systems and services identified in the Domain Name System are protected with [DNSSEC] and that all systems are capable of validating DNSSEC[-]protected information.

The only notable federal DNSSEC-related publication since 2016 is OMB’s memorandum M-18-23, which was issued to rescind numerous older memoranda considered redundant or outdated. In particular, the memorandum M-08-23, in which OMB provided its initial DNSSEC deadlines, was rescinded with the following rationale:

OMB is rescinding M-08-23, which provides additional guidance on the Domain Name System (DNS), specifically focusing on new security protections for the Federal DNS. The requirements in this memorandum are outdated; agencies should have implemented these security protections.

This recession did not remove the requirement to implement DNSSEC across the federal government. DNSSEC remains explicitly required by OMB Circular A-130 (2016), noted above, and NIST SP 800-53B (2020), which retains the DNSSEC-related security controls in the security control baselines for all systems.

OMB’s recession of the initial memo setting DNSSEC deadlines has resulted in the misunderstanding that DNSSEC is no longer federally mandated. For example, the website for cloud.gov, a federally managed Platform as a Service (PaaS) offering, states that “cloud.gov does not currently support DNSSEC on cloud.gov domains” any notes that “OMB memo M-18-23 rescinds M-08-23, the OMB memo that originally mandated DNSSEC for federal systems.”5 The misunderstanding that DNSSEC is no longer federally required has been repeated and repeated across numerous webpages. While the federal government could revoke the requirement in the future, DNSSEC remains an on-the-books requirement, for better or worse.6

  1. NIST SP 800-81, Secure Domain Name System (DNS) Deployment Guide, was updated once in April 2010 and again in September 2013. ↩︎
  2. See Federal Information Processing Standards Publication 200 (FIPS 200). ↩︎
  3. The website www.dnsops.gov (archived) was created around this time to provide guidance on implementing DNSSEC. The website specifically addressed the so-named Secure Naming Infrastructure Pilot (SNAP), whose goal was “to provide a test domain for participants to use and become familiar with [DNSSEC] and how they will affect current DNS operations.” This website appears to have been closed sometime after May 2016 (archived). ↩︎
  4. For an example of federal DNSSEC activities, NIST updated its DNSSEC guidance twice: NIST SP 800-81, Revision 1 (2010), and NIST SP 800-81, Revision 2 (2013). In addition, in 2010 (or earlier), NIST created a website that tracked the adoption of DNSSEC (and IPv6) across government domains. The website is still available here. ↩︎
  5. For cloud services, the Federal Risk and Authorization Management Program (FedRAMP) still explicitly checks for DNSSEC, as noted in the 3PAO Readiness Assessment Report Guide. FedRAMP does recognize that DNSSEC, among other requirements, is a “particular authorization pain point[]” in a March 28, 2024, blog post. ↩︎
  6. Significant debate around the usefulness, or lack thereof, of DNSSEC has existed for many years. While outside the scope of this article, the author, like many, would be pleased to see an explicit recession of the federal DNSSEC requirement. ↩︎