BlueCat's Public Sector Practice Announces New OMB Mandate, NIST-Compliant DNSSEC Functionality

BlueCat's new functionality will make it simple for any U.S. federal government agency to comply with U.S. federal government DNSSEC standards and mandates

February 5, 2009

4 Min Read


Reston, Virginia - February 5, 2009 - BlueCat Networks, the IPAM Intelligence CompanyT, today underscored its commitment to the U.S. federal market by announcing new DNSSEC functionality for its ProteusT IPAM and AdonisT family of DNS/DHCP solutions. Developed to meet all recommendations outlined by the National Institute of Standards and Technology (NIST) in its 'Secure Domain Name System (DNS) Deployment Guide,' BlueCat's new functionality will make it simple for any U.S. federal government agency to comply with U.S. federal government DNSSEC standards and mandates - including the recent OMB M-08-23 memorandum, which requires U.S. federal government agencies to add DNSSEC cryptographic authentication functionality to DNS servers by December, 2009.

Designed to protect DNS clients from forged DNS data that is the result of a DNS attack, such as cache poisoning, BlueCat's DNSSEC functionality signs all DNS requests on the authoritative server, using a digital signature. When a DNS client requests a DNS record, it can verify that the record received is identical to the record on the authoritative server.

In the event that an unauthorized user tries to exploit a U.S. federal government agency's DNS server, the altered record will not be verified as it has not been signed using the digital signature. This prevents users from receiving poisoned DNS, and increases the reliability of records received from DNSSEC-enabled DNS servers.

"As high-profile incidents such as the Kaminsky exploit in 2008 underscore, U.S. federal government must take every precaution to ensure networks are secure," said Gene Skiba, VP U.S. Public Sector for BlueCat Networks' dedicated U.S. Public Sector Group in Reston, Virginia. "BlueCat has always been at the forefront of DNSSEC innovation, and this latest functionality will make it simpler than ever before for U.S. federal government agencies to fully comply with all U.S. federal government standards," Skiba continued. "BlueCat has been gaining significant traction in the U.S. federal government space, and given the fact that DNSSEC usage is increasing, and that the U.S. federal government plans to sign the .gov and .mil domains by the end of 2009, providing leading-edge DNSSEC functionality remains a top priority for us."

BlueCat's new DNSSEC functionality includes:

Support for DNSSEC Resource Records

BlueCat will support all the required resource records needed to provide DNSSEC functionality for hosted authoritative domains, including Resource Record Signatures (RRSIGs), DNSSKEY and Next Secure (NSEC) records. These records are not actually configurable and are automatically created and maintained by the DNS system.

DNSSEC Validation

BlueCat's Adonis DNS/DHCP appliance will be able to properly validate signed records from other DNSSEC enabled servers.

Support for DNSSEC Signed Zones

BlueCat will provide support for DNSSEC Signed Zones using Zone Signing Keys (ZSK) and Key Signing Keys (KSK). Zone Signing Keys are used to sign the records within a zone - for example, www host in the zone Key Signing Keys are used to sign the ZSKs and are also used as the trust anchor for validation of DNS responses. Both ZSKs and KSKs can be automatically generated on a per zone basis within Proteus. The new functionality will enable BlueCat to support RSASHA-1 and DSASHA-1 key ciphers at 1024 bit and 4096 bit strengths. Optionally, administrators can manually add their own keys to the system that will be used for signing. Other key ciphers may be added in future releases depending on customer needs.

Ability to Configure Trust Anchors

BlueCat will provide the ability to configure Trust Anchors, which are used to validate responses from other authoritative name servers. Trust Anchors will be configurable at a server level using DNS Options, where multiple Trust Anchors can be configured using their zone name and public KSK.

The proliferation of such technology as VoIP, RFID, wireless, virtualization, and IPv6 is making it impossible for U.S. federal government agencies to continue managing IP addresses with spreadsheets and homegrown solutions. BlueCat's market-leading solutions integrate with Microsoft Active Directory to enable U.S. federal government agencies to completely eliminate network accessibility problems by making it simple and secure for administrators to centrally deploy, manage, monitor and audit IP addresses across an entire organization from a single web-based interface.

About BlueCat Networks

BlueCat Networks, the IPAM Intelligence CompanyT, is a profitable, rapidly-growing leading provider of enterprise-class IP Address Management (IPAM) platforms and secure DNS/DHCP network administration appliances. Today, thousands of BlueCat's award-winning ProteusT IPAM platforms and AdonisT family of DNS/DHCP appliances have been successfully deployed to meet the rising IP management demands of government, military, financial services, retail and manufacturing organizations worldwide. Find out why more Fortune companies choose BlueCat solutions to gain complete, centralized Command and Control of their IP networks at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights