U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PROJECTS/PROGRAMS

High Assurance Domains

Share

Summary

 

NIST is working with the Internet industry to design, standardize and foster deployment of technologies to improve the security and robustness of enterprise networks and the core Internet technologies upon which they relay.  The High Assurance Domains (HAD) project is currently focused on improving the security and robustness of  (1) the Domain Name System (DNS) - the ubiquitous naming infrastructure for the global Internet, and (2) enterprise electronic mail systems.  

Description

High Assurance Domains Infor Graphic

NIST's Trustworthy Networks Program seeks to reduce systemic technical vulnerabilities in the foundation of the Internet and other critical network infrastructures.  The objectives of NIST’s High Assurance Domains (HAD) project are to design, standardize and foster wide scale adoption of technologies to improve the security, robustness and privacy of the Internet’s Domain Name System.  A second dimension of the NIST’s effort is to explore ways to leverage a trustworthy global naming service to address other issues in Internet security and scalable trust infrastructures.

 

Major Accomplishments

  • 2025 - NIST published draft updated Secure DNS Deployment Guidance (NIST SP-800-81r3) .
  • 2022 - NIST published research on the use of machine learning to detect botnet DNS abuse.
  • 2020 - NIST, in collaboration with the Federal CIO Council, develops and publishes a Zero Trust Architecture reference.
  • 2017 – NIST, in collaboration with the NCCoE, develops and issues guidance on DNS Based Electronic Mail Security guidance.
  • 2017 – NIST develops and issues Trustworthy Email guidance document (NIST SP-800-177r1).
  • 2016 – NIST develops and deploys online test systems for DANE and DMARC enabled email technologies.

  • 2013 – NIST issues revised Secure DNS Deployment Guide (NIST SP-800-81r1) 

    DoC Gold Medal
  • 2009 – NIST, in collaboration with NTIA develops requirements for DNSSEC deployment at the root of global DNS deploys DNSSEC.  DNS root DNSSEC signed for the first time.  NTIA and HAD project team awarded DoC Gold Medal .
  • 2009 – NIST deployment guidance and test tools enable  .gov to be the first GTLD to operationally deploy DNSSEC.
  • 2009 - NIST works with GSA and OMB to ensure the safety of initial .gov DNSSEC deployment.   HAD project team awarded DoC Gold Medal .
  • 2008 – NIST issues first Secure DNS Deployment Guide (NIST SP-800-81).
  • 2006 – NIST develops and deploys first DNSSEC zone integrity test tool to assist early adopters.
  • 2005 – NIST coauthors set of basic IETF DNSSEC RFCs.

For further details on NIST accomplishments, contributions and impact, see Associated Products below.

The goal of the HAD project is to design, standardize and help deploy new DNS security technologies to aid in building trust in online communications.    NIST’s HAD project team works with the industry, the Internet Engineering Task Force and key user groups (e.g., the USG, the financial services sector) to define, evaluate and foster deployment of these new network security technologies necessary to enable trustworthy communications.  More forward-looking research in the HAD project examines approaches to leverage secure DNS services to build trust infrastructures for challenging new domains, such as those posed by the Internet of Things.

Fostering change in global infrastructure is a long and difficult process even after new commercial products and services are available.  Post standardization activity in the HAD project includes the development of detailed deployment guidance and best common practice guides from pilot deployments and developing test and measurement tools to aid both the product development community and network administrators working through the issues of early adoption and deployment.  Some specific technologies being considered as part of the HAD project include:

DNS Security (DNSSEC) and Privacy

The Domain Name System Security Extensions (DNSSEC) are a set of new DNS Resource Records (RRs) to add digital signatures over DNS data.  These digital signatures add data authentication and integrity protection to DNS data.  Trust with DNSSEC is built upon the existing DNS hierarchy, with parent zones (i.e. com, gov, etc.) encoding the security status of child zones (i.e. nist.gov).  Emerging technologies such as DNS-based Authentication of Named Entities (DANE) leverages DNSSEC to enable the Domain Name System to be used as a ubiquitous, scoped key management and certificate infrastructure.

Trustworthy EMail

Email is still one of the primary means of communication on the Internet. However, email is inherently insecure, and users are taught to mistrust all email from (supposedly) trusted sources.  Several methods to add security (i.e. authentication, confidentiality) have been proposed but few have gained wide acceptance.  Some of these methods rely on the DNS to publish key material or policy information.  With DNSSEC, these methods become trustworthy.  More importantly, with DANE the DNS acts as a trust infrastructure that enables opportunistic encryption between mail systems with no previous knowledge of each.

DANE MTA TLS Diagram

 

High Assurance Domains

Product

Status

Reference

NIST PublicationReleased, CoAuthor

Rose S., Liu C., Gibson R., Domain Name Security (DNS) Deployment Guide, National Institute of Standards and Technology Special Publication 800-81r3, April 2025.

  • Collaborators: Infoblox
Journal PublicationPublished,  Wang Z., Guo Y., Montgomery D., Machine Learning-Based Algorithmically Generated Domain Detection, Computers and Electrical Engineering, Volume 100, May 2022.
NIST PublicationPublished,  

Rose S., Borchert O., Mitchell S., Connelly S., Zero Trust Architecture, National Institute of Standards and Technology Special Publication (SP) 800-207, August 2020.

  • Collaborators: Department of Homeland Security, Stu2Labs
Software ReleaseReleased-Final,  Rose S., HAD Email Monitor, None, March 2019.
Software ReleaseReleased-Final,  Rose S., HAD-dns-monitor, None, March 2019.
NIST PublicationFinal,  Chandramouli R., Nightingale J., Garfinkle S., Rose S., NIST SP 800-177r1 Trustworthy Email, NIST Special Publication 800-177r1, February 2019.
Journal PublicationFinal,  Wang Z., Rose S., Energy-aware DNS Allocation, Sustainable Computing: Informatics and Systems, Vol 19 (Sept 2018), July 2018.
NIST PublicationFinal,  Rose S., Feldman L., Witte G., Improving the Trustworthiness of E-Mail, and Beyond!, ITL Bulletin for April 2018, April 2018.
Conference PublicationAccepted,  Wang Z., Yu S., Rose S., An On-Demand Defense Scheme Against DNS Cache Poisoning Attacks, EAI Endorsed Transactions on Security and Safety, October 2017.
PresentationFinal,  Rose S., DNSSEC Operations in the .gov TLD, DNS-OARC 27, San Jose CA, 9/28-30 2017, September 2017.
NIST PublicationFinal,  Rose S., Feldman L., Witte G., Updating the Keys for DNS Security, ITL Bulletin, September 2017.
NIST PublicationFinal,  Rose S., Waltermire K., Jha S., Irrechukwu C., Barker W., NIST Special Publication 1800-6: Domain Name System Based Electronic Mail Security, NIST Special Publication 1800-6, September 2017.
Journal PublicationFinal,  Wang Z., Huang J., Rose S., Evolution and Challenges of DNS-Based CDNs, Digital Communications and Networks, July 2017.
SoftwareFinal,  Rose S., HAD Email Test Tool, Web tool, May 2017.
PresentationFinal,  Barker W., Rose S., NIST SP 1800-6: Domain Name System Based Email Security, Messaging, Malware, Mobile Anti-Abuse Working Group 39th Meeting, February 2017.
Conference PublicationFinal,  Gersch J., Massey D., Rose S., The Emergence of DANE Trusted Email for Supply Chain Management, Hawaii International Conference on System Sciences HICSS-50, January 2017.
NIST PublicationFinal,  Rose S., Feldman L., Witte G., Making Email Trustworthy, ITL Bulletin, October 2016.
Service DeployedFinal,  Rose S., High Assurance Domain Monitor, https://monitor.dnsops.gov/, August 2016.
Software ReleaseFinal,  Rose S., HAD TLSA Toolbox, Perl Scripts, December 2015.
NIST PublicationFinal,  Rose S., Chandramouli R., NIST Special Publication 800-81-2 Secure Domain Name System (DNS) Deployment Guide, National Institute for Standards and Technology Special Publication 800-81 Revision 2, September 2013.
Conference PublicationFinal,  Rose S., DNSSEC Deployment in .gov: Progress and Lessons Learned, 26th Large Installation System Administration Conference (LISA 2012), pg 223-228, December 2012.
Standards SpecificationPublished,  Rose S., Atkinson R., Bhatti S., DNS Resource Records for the Identifier-Locator Network Protocol (ILNP), Internet Engineering Task Force Request for Comments 6742, November 2012.
Standards SpecificationPublished,  Rose S., DNS Security (DNSSEC) DNSKEY Algorithm IANA Registry Updates, Internet Engineering Task Force Request for Comments 6725, August 2012.
Standards SpecificationPublished,  Rose S., Wijngaards W., DNAME Redirection in the DNS, Internet Engineering Task Force Request for Comments 6672, June 2012.
White PaperFinal,  Rose S., Polk T., Montgomery D., et_al _., Testing and Implementation Requirements for the Initial Deployment of DNSSEC in the Authoritative Root Zone, NTIA and NIST developed requirements specification, October 2009.
Journal PublicationFinal,  Rose S., Chandramouli R., Open Issues in Secure DNS Deployment, IEEE Security &, Privacy, Volume: 7, Issue: 5. Sept.-Oct. 2009., October 2009.
Conference PublicationFinal,  Rose S., Chandramouli R., Nakassis A., Information Leakage Through the Domain Name System, Conference For Homeland Security, 2009. CATCH ',09. Cybersecurity Applications &, Technology, March 2009.
Conference PublicationFinal,  Rose S., Chandramouli R., An Integrity Verification Scheme for DNS Zone File based on Security Impact Analysis, Computer Security Applications Conference, 21st Annual, July 2006.
Journal PublicationFinal,  Rose S., Chandramouli R., Challenges in Securing the Domain Name System, IEEE Security &, Privacy. Volume: 4, Issue: 1. Jan.-Feb. 2006, February 2006.
Conference PublicationFinal,  Rose S., Chandramouli R., Integrity Checking of DNS Zone File Data Using XSLT, Computer Security Applications Conference, 21st Annual, July 2006, July 2005.
Standards SpecificationPublished,  Rose S., Massey D., Austein R., Arends R., Larson M., DNS Security Introduction and Requirements, RFC 4033, Internet Engineering Task Force Request for Comments 4033, March 2005.
Standards SpecificationPublished,  Rose S., Massey D., Arends R., Austein R., Larson M., Resource Records for the DNS Security Extensions, RFC 4034, Internet Engineering Task Force Request for Comments 4034, March 2005.
Standards SpecificationPublished,  Rose S., Austein R., Arends R., Massey D., Larson M., Protocol Modifications for the DNS Security Extensions RFC 4035, Internet Engineering Task Force Request for Comments 4035, March 2005.
Standards SpecificationFinal,  Rose S., Massey D., Limiting the Scope of the KEY Resource Record (RR), Internet Engineering Task Force Request for Comments 3445, December 2002.


Collaborators (3) = Department of Homeland Security, Infoblox, Stu2Labs 

Advanced communications, Information technology, Cybersecurity, Interoperability testing, Networking, Network modeling and analysis, Network security and robustness, Network test and measurement, Next generation networks and Protocol design and standardization
Created August 14, 2016, Updated April 10, 2025