Home / Blogs


In late August the White House mandated that all of the agencies in the US government have functioning DNSSEC capabilities deployed and operational by December 2009. I am suggesting here that we, as a community, commit to the same timetable. I call upon VeriSign and other registries to bring up DNSSEC support by January 2009. While DNSSEC is not the best ultimate solution, it is the best option currently available. Here are the additional resources suggested by the White House:

The following resources provide additional technical information and guidance to support your agency’s DNSSEC deployment.

DNSSEC Deployment Plan Outline (Edited from that provided by the White House):


Section 1 - Enumerate Your Organizations Domains.

Enumerate the second level domains beneath .com, .net (etc.) operated by your organization (or on behalf of your organization). Only the second level sub-domains need to be listed.

Section 2 - Identify Sources of DNS Services.

For each domain listed above, describe if your DNS administration and server operation are provided in house, outsourced to a commercial provider (e.g., vendor), or delivered by other means (e.g., provided by another group or agency).

Section 3 - Describe DNS Server Infrastructure.

Document the provider, vendor, or source of DNS server implementations within your organization (e.g., BIND, NSD, Microsoft Advanced Directory, etc.). Include in your estimate the number and versions of such servers per source.

Section 4 - Identify and Address Barriers.

Document any perceived technical, contractual or operational barriers impeding deployment of DNSSEC, and required milestones for addressing each.

Section 5 - Train and Pilot.

Review the activities of the USG Secure Naming Infrastructure Pilot at www.dnsops.gov and plan for your agency will participate in this pilot test bed, as well as associated training workshops.

Section 6—Plan of Action and Milestones.

Document your organizations plan of action and milestones to fully implement the policies described in this memo. In particular this plan should detail all key activities (e.g., acquisition if necessary, training, test, deployment, operations plans with priority given to citizen services and E-government domains especially those that collect any personally identifiable information) and milestones necessary to achieve the goal of fully operating DNSSEC signed .gov sub-domains by December 2009.

By Paul Parisi, Chief Technology Officer at DNSstuff.com

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com