The Bush administration has ordered all federal agencies to adopt new measures to shore up the security of government Web sites, setting a January 2009 deadline for implementing the changes across all dot-gov domains.

Agencies will be required to roll out domain name system security extensions (DNSSEC), a set of security add-ons for the domain name system.

DNSSEC seeks to protect Internet users against forged or poisoned DNS data by digitally signing DNS requests. By checking a digital signature, the end-user (or tools built into the browser) can check to make sure that the DNS information was indeed sent by the authoritative DNS server for that domain.

the White House Office of Management and Budget, mandate comes amid increased attacks against a pervasive security weakness recently uncovered in DNS.

However, many Internet service providers and companies responsible for maintaining portions of the Internet have yet to apply the fixes, and criminals are beginning to take advantage of the weakness.

Having DNSSEC in place would make it much harder for hackers to hijack Web traffic destined for dot-gov domains says the director of the SANS Internet Storm Center, a group that tracks hacking trends.

“That way, the software you use could validate through the digital signature process that you’re really filing your taxes at www.irs.gov, and not some scammer site” that has hijacked your computer or ISP’s DNS records”

Under the timetable, the federal government will need to develop initial planning drafts by Sept. 5, 2008, and deploy DNSSEC to the top level dot-gov domain by next January. Agencies will need to have the system rolled out entirely to all second-level domains beneath dot-gov by Dec. 2009.