Progress of DNS Security Deployment in the Federal Government
In 2008, the US Federal government mandated that all Federal Executive Branch owned DNS zones must deploy DNSSEC. Initial deployments lagged and often error prone, and in response, the DNSSEC Tiger Team was formed to aid deployment and develops a system to monitoring system. The results showed a significant increase in deployment as well as a reduction in errors. When errors were detected, the time it took to resolve the problem was also reduced. This paper discusses the history of DNSSEC in the gov domain, the types of errors seen, and how they were reported. This paper concludes with a set of lessons learned that would apply to other large domains or groups wishing to make DNSSEC a requirement for operation in members' zones.