NIST logoITL Logo



HAD project banner



High Assurance Domain Measurement

Background

The High Assurance Domain (HAD) project was created to foster development and deployment of new network security technologies to increase trust in online communications. To measure the update of these new technologies, regular network scans are performed to look for security artifacts that indicate that these technologies are being deployed for a given DNS zone.

The test tool takes a list of zone names as input and performs a series of tests for certain security artifacts in the zone or particular services. The majority of these tests are based on DNS queries. The results of the tests are broken down by service (e.g. DNS, email, etc.) with multiple tests per service. The individual tests and presentation of results are detailed below.

HAD Deployment Measurement Tool

The test tool takes a list of zone names as input and performs a series of tests for certain security artifacts in the zone or particular services. The majority of these tests are based on DNS queries. The results of the tests are broken down by service (e.g. DNS, email, etc.) with multiple tests per service. The individual tests and presentation of results are detailed below. For each service column, the results are given as a collection of values defined below. In the example below, the "example4.gov" zone is lame meaning that a delegation is found in the parent zone (i.e. .gov), but no servers could be reached.

This monitor is similar to the NIST Fed IPv6 Deployment Monitor in that some of the same security artifacts are being measured (especially DNSSEC). However, the HAD monitor is focused on services and not the interfaces those services utilize. Therefore, the results appear different for similar sounding tests. Some of the tests are different than the NIST IPv6 monitor, such as tests for the use of TLS/SSL for web, etc.

Domain EntityDNSSEC Status SPFDKIM DMARCSMTP over TLS SMTP Support HTTP FoundHTTPS Available Cert material in DNS
example1.gov Agency One Signed(Good) NS Yes Yes Yes TLSA Yes No None
example2.gov Agency Two No No DKIM? No No No Yes Yes TLSA
example3.gov Agency Three Signed(Island) SPF Yes No Yes CERT No Yes CERT
example4.gov Agency Four - - DKIM? - - - - - -

The input for the .gov test results page comes from the list of Executive Branch zones hosted on data.gov. Administrators can contact the the HAD admins to ask to be included in the measurement and add any other zones that may not currently be included.

Test Methodologies

The tests are broken down by service. Currently the services tested for each zone are DNS (DNSSEC), email authentication and web (HTTP/HTTPS). The presentation of the results may change to improve readability or provide more information, but the underlying tests will not change.

DNS Security Extensions (DNSSEC)

The first column gives the results of measuring DNSSEC deployment for a give zone. The results of the DNSSEC tests is given as a simple "Yes/No" with a status that gives the basic, observable information about the zone. The HAD monitor uses a validating resolver configured with the public key for the root zone (".") and sends a query for the DNSKEY RR for each zone. The response (and validation result) of this query can tell a client a lot about the DNSSEC status of a given zone. The possible values are:

Email Authentication

The second set of tests gives the results of measuring various email authentication techniques that store some information in the DNS. The current technologies being measured are SPF usage, DMARC usage, and TLS certificates for mail servers stored in TLSA (or CERT) RR's in the DNS. Like the DNSSEC test above, the monitor sends a series of queries for relevant RRTypes to see if the given email technology is in use. For SPF, both the SPF and TXT RRTypes are queried. For DMARC, a query for a TXT RR with the name "_dmarc.zonename is sent, according to the naming convention contained in the DMARC specification. DKIM requires some input from the zone under test (see our request for DKIM information. Tests for TLSA and CERT RRTypes are done for the mail servers identified in the MX RRset (if present) in the zone. So mail receivers are checked, not mail senders (yet). The individual tests and result values are:

Web Security

The third set of tests gives the results of measure some web security technologies. Currently, the tool only looks to see if it can contact a web server via HTTP, HTTPS and that it can obtain a certificate from the DNS. To reduce the time needed to run the tests and reduce network communication, only one web server (if there is a set) is tested. Like the DNSSEC and authenticated email tests, the HAD monitor sends a series of DNS queries for various RRTypes. However, the HAD monitor also tries to open an HTTP and/or HTTPS connection as well, so these tests are not strictly DNS based. The tests and results are:


The High Assurance Domain project is a collaboration between the NIST Information Technology Laboratory's Advanced Networking Technology Division and the DHS Science and Technology Directorate's Cyber Security Division.

NIST Logo ITLLogo DHS-S-T-Logo


Questions or comments should be sent to the HAD pilot admin

NIST is an agency of the U.S. Department of Commerce.

Privacy policy / security notice / accessibility statement / Disclaimer / Freedom of Information Act (FOIA) / Environmental Policy Statement / No Fear Act Policy / NIST Information Quality Standards / Scientific Integrity Summary

Date created 06/18/2012. Last updated 10/05/2015.