Upload
others
View
32
Download
2
Embed Size (px)
Citation preview
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page1of22
Documentcontrol
Documentinformationandsecurity
CONDUCTEDBY RESPONSIBLEFORFACTS RESPONSIBLEFORDOCUMENT
SECURITYOFFICER SECURITYOFFICER SECURITYOFFICER
Approvedby
DATE NAME FUNCTION
SECURITYOFFICER
Audits
DATE VERSION NAME DESCRIPTION
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page2of22
TableofContentTableofContent 2
1. Introduction 6
1.1. Overview 6
1.2. Documentnameandidentification 6
1.3. CommunityandApplicability 6
1.3.1. Registry 6
1.3.2. Registrar 7
1.3.3. Registrant 7
1.3.4. Applicability 7
1.4. SpecificationAdministration 7
1.4.1. Specificationadministrationorganisation 7
1.4.2. ContactInformation 7
1.4.3. SpecificationChangeProcedures 8
2. PublicationandRepositories 9
2.1. Repositories 9
2.2. PublicationofKeySigningKeys(KSK) 9
2.3. Accesscontrol 9
3. OperationalRequirements 10
3.1. Meaningofdomainnames 10
3.2. ActivationofDNSSECforchildzone 10
3.3. Identificationandauthenticationofchild-zonemanager 10
3.4. Registrationofdelegationsigner(DS)resourcerecords 10
3.5. Methodtoprovepossessionofprivatekey 10
3.6. RemovalofDSresourcerecord 10
3.6.1. Authoritytorequestderegistration 10
3.6.2. Deregistrationprocedure 11
4. Facility,Management,andOperationalControls 11
4.1. PhysicalControls 11
4.1.1. Sitelocationandconstruction 11
4.1.2. Physicalaccess 11
4.1.3. PowerandAirConditioning 11
4.1.4. WaterExposure 11
4.1.5. FirePreventionandProtection 11
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page3of22
4.1.6. MediaStorage 11
4.1.7. WasteDisposal 11
4.2. ProceduralControls 12
4.2.1. TrustedRoles 12
4.2.2. Numberofpersonsrequiredpertask 12
4.2.3. Identificationandauthorizationofpeopleintrustedroles 12
4.2.4. SeparationofDuties 12
4.3. PersonnelControls 12
4.3.1. Qualifications,experienceandclearancerequirements 12
4.3.2. Backgroundchecks 12
4.3.3. TrainingRequirements 12
4.3.4. JobRotationFrequencyandSequence 13
4.3.5. ContractingPersonnelRequirements 13
4.3.6. DocumentationSuppliedtoPersonnel 13
4.4. AuditLoggingProcedures 13
4.4.1. TypesofEventsRecorded 13
4.4.2. Frequencyofcontrolofloginformation 13
4.4.3. Retentionperiodforloginformation 13
4.4.4. ProtectionofAuditLog 14
4.4.5. Securitybackupsofloginformation 14
4.4.6. Log-informationcollectionsystem 14
4.4.7. Notificationtoevent-causingsubject 14
4.4.8. Vulnerabilityassessments 14
4.5. CompromiseandDisasterRecovery 14
4.5.1. Incidentmanagement 14
4.5.2. Corruptedequipment,softwareorinformation 14
4.5.3. EntityPrivateKeyCompromiseProcedures 14
4.5.4. Contingencyplan 15
4.5.5. Entitytermination 15
5. TechnicalSecurityControls 16
5.1. KeyPairGenerationandInstallation 16
5.1.1. KeyPairGeneration 16
5.1.2. PublicKeyDelivery 16
5.1.3. Qualitycontrolofkeyparameters 16
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page4of22
5.1.4. KeyUsagePurposes 16
5.2. PrivateKeyProtectionandCryptographicModuleEngineeringControls 16
5.2.1. CryptographicModuleStandardsandControls 16
5.2.2. PrivateKey(m-of-n)Multi-personControl 16
5.2.3. Keyescrow 16
5.2.4. PrivateKeyBackup 17
5.2.5. PrivateKeyArchival 17
5.2.6. PrivateKeyTransferIntoorFromaCryptographicModule 17
5.2.7. Storageinacryptographicsecuritymodule 17
5.2.8. Methodforactivatingprivatekeys 17
5.2.9. Methodfordeactivationofprivatekeys 17
5.2.10. Destructionofprivatekeys 17
5.3. OtherAspectsofKeyPairManagement 17
5.3.1. PublicKeyArchival 17
5.3.2. KeyUsagePeriod 17
5.3.3. Activationdata 17
5.3.4. Generationandinstallationofactivationdata 17
5.3.5. Protectionofactivationdata 18
5.3.6. Otheraspectsofactivationdata 18
5.4. ComputerSecurityControls 18
5.5. NetworkSecurityControls 18
5.6. Timestamping 18
5.7. LifeCycleTechnicalControls 18
5.7.1. Systemdevelopmentcontrols 18
5.7.2. Systemmanagementcontrols 19
6. ZoneSigning 20
6.1. KeyLengthsandAlgorithms 20
6.2. AuthenticatedDenialofExistence 20
6.3. SignatureFormat 20
6.4. ZoneSigningKeyRoll-over(ZSK) 20
6.5. KeySigningKeyRoll-over(KSK) 20
6.6. SignatureLife-timeandRe-signingFrequency 20
6.7. Verificationofzonesigningkeyset 20
6.8. Verificationofresourcerecords 20
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page5of22
6.9. ResourceRecordsTime-to-live(TTL) 20
7. ComplianceAudit 21
7.1. Frequencyofentitycomplianceaudit 21
7.2. Qualificationsofauditor 21
7.3. Auditor'srelationshiptotheauditedparty 21
7.4. Topicscoveredbyaudit 21
7.5. Actionstakenasresultofdeficiency 21
7.6. Communicationofresults 21
8. LegalMatters 22
8.1. Fees 22
8.2. Privacyofpersonalinformation 22
8.2.1. Responsibilitytoprotectpersonalinformation 22
8.2.2. Disclosureofpersonalinformationtojudicialauthorities 22
8.3. Limitationsofliability 22
8.4. Termandtermination 22
8.4.1. Validityperiod 22
8.4.2. Expirationofvalidity 22
8.4.3. Disputeresolution 22
8.4.4. Governinglaw 22
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page6of22
1. IntroductionThisdocumentistheRegistryOperator’sstatementofsecuritypracticesandprovisionthatareappliedinconjunctionwithDNSSecurityExtensions(DNSSEC)inthegTLDtop-leveldomain.ThisdocumentconformstotheRFC-draftDNSSECPolicy&PracticeStatementFramework(currentdraft:http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-dps-framework-05).TheDPSisoneofseveraldocumentsrelevanttotheoperationoftheRegistryzone.Anotherrelevantdocumentisthebusinesscontingencyplan.
1.1. OverviewThepurposeofthisdocumentistoenablestakeholderstodeterminetheleveloftrusttheywishtogranttotheRegistry’sDNSSECmanagement.ItdetailstheproceduresandpoliciesemployedbytheRegistryOperatorinoperatingtheRegistryzone.
DNSSECisasetofrecordsandprotocolmodificationsthatenabletheauthenticationofDNSdataandalsomakeitpossibletoensurethatcontenthasnotbeenmodifiedduringtransfer,includingmechanismsforauthenticateddenialofexistence.ResourcerecordssecuredwithDNSSECarecryptographicallysignedandincorporateasymmetriccryptographyintheDNShierarchy,wherebytrustfollowsthesamechainastheDNStree,meaningthattrustoriginatesfromtherootandisdelegatedinthesamewayastheownershipofadomain.
1.2. Documentnameandidentification DNSSECPolicyandPracticeStatementorshortDPS.
1.3. CommunityandApplicability TheRegistryfollowsaRegistry–Registrar–Registrantmodel.Inthismodel,theownerofazone(Registrant)andtheoperatoroftheparentzone(RegistryOperator)areconnectedthroughanintermediary(Registrar).
1.3.1. RegistryOperatorTheRegistryOperatorisresponsiblefortheadministrationofthedomainnamesintheRegistryzone.ThismeansthattheRegistryOperatormanagesaddition,changesandremovalofalldatathatisrelatedtoadomainnameintheRegistry.
ForDNSSEC,theRegistryOperatorisresponsibleforgeneratingkeypairsandprotectingtheconfidentialityoftheprivatecomponentoftheKeySigningKeys(KSK)andZoneSigningKeys(ZSK)andformakingitspublickeysavailabletothegeneralpublic.TheRegistryOperatorisalsoresponsibleforsigningallauthoritativeDNSresourcerecordsintheRegistryzoneinasecuremanner.
FinallytheRegistryOperatorisresponsiblefortheregistrationandmaintenanceofDSresourcerecordsintherootzone.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page7of22
1.3.2. RegistrarARegistraristhepartythatisresponsiblefortheadministrationandmanagementofdomainnamesofbehalfoftheRegistrant.TheRegistrarhandlestheregistration,maintenanceandmanagementofaRegistrantsdomainnameandisanaccreditedICANNregistrar.
TheRegistrarisresponsibleforsecurelyidentifyingtheRegistrantofadomain.TheRegistrarisresponsibleforadding,removingorupdatingspecifiedDNSKEYrecordsforeachdomainattherequestoftheRegistrant.
1.3.3. RegistrantARegistrantisthephysicalorlegalentitythatcontrolsadomainname.Registrantsareresponsibleforgeneratingandprotectingtheirownkeys,andregisteringandmaintainingtheDNSKEYrecordsthroughtheRegistrar.
TheRegistrantisresponsibleforissuinganemergencykeyrolloverifkeysaresuspectedofbeingcompromisedorhavebeenlost.
1.3.4. ApplicabilityEachRegistrantisresponsiblefordeterminingtherelevantlevelofsecurityfortheirdomain.ThisDPSisexclusivelyapplicabletothetop-levelRegistrydomainanddescribestheproceduresandsecuritycontrolsandpracticesapplicablewhenmanagingandemployingkeysandsignaturesforRegistry’ssigningoftheRegistryzone.
1.4. SpecificationAdministration ThisDPSwillbeperiodicallyreviewedandupdated,asappropriate.
1.4.1. Specificationadministrationorganisation
Theadministratorof.epostDPSisDeutschePostAG
1.4.2. ContactInformation
DeutschePostAGCharles-de-Gaulle-Straße2053113BonnGermany
Phone+4922818296701Fax+4922818296799Email [email protected]
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page8of22
1.4.3. SpecificationChangeProceduresAnychangetothisdocumentneedstobesignedoffbyaSeniorManageroftheRegistryOperator,andtheSecurityOfficeroftheRegistryServiceProvider.
OnlythemostrecentversionofthisDPSisapplicable.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page9of22
2. PublicationandRepositories
2.1. RepositoriesDNSSECrelevantinformationispublishedviatheRegistryOperator'ssecuredwebsite.
2.2. PublicationofKeySigningKeys(KSK)TheRegistryOperatorwillpublishitsKeySigningKeys(KSKs)intwoformats:
• Directlyintherootzone(onlyDSresourcerecords)
• OntheRegistry'swebsite,intheDNSKEYFormat
2.3. AccesscontrolInformationpublishedatthespecificwebsiteisavailabletothegeneralpublicandisprotectedagainstunauthorizedadding,deletionormodificationofthecontentonthewebsite.
Thepublicpartoftheregistry’skeySigningKeyissignedwiththeRegistry’sofficialPGP-key,whichmaybefoundattheRegistryOperator’ssecuredwebsite.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page10of22
3. OperationalRequirements
3.1. MeaningofdomainnamesAdomainnameisauniqueidentifier,whichisoftenassociatedwithservicessuchaswebhostingore-mail.Applicationforregistryunderthetop-levelRegistrydomainislimitedtotheRegistryOperator.
3.2. ActivationofDNSSECforchildzoneDNSSECisactivatedbyatleastoneKeySigningKey(KSK)DNSKEYrecordforthezonebeingsentfromtheRegistrartotheRegistryOperatorandthusbeingpublishedintheDNS,whichestablishedachainoftrusttothechildzone.TheRegistryOperatorwillcalculateandupdatetherelatedDSresourcerecords.
Duringthepre-delegationchecks,wewillensurethattheDNSKEYrecordsprovidedareavailableasDNSKEYrecordsattheapexofthechildzoneforalldelegatednameservers.WewillalsocheckiftheseDNSKEYsareproperlysigned.
3.3. Identificationandauthenticationofchild-zonemanagerItistheresponsibilityoftheRegistrartosecurelyidentifyandauthenticatetheRegistrantthroughasuitablemechanism,andincompliancewiththestipulationsinthecontractbetweentheRegistryOperatorandtheRegistrar.
3.4. Registrationofdelegationsigner(DS)resourcerecordsTheRegistryOperatoracceptsDNSKEYrecordsthroughtheEPPinterfacefromtheRegistrar.TheDNSKEYrecordmustbevalidandsentintheformatindicatedinRFC5910(EPPDNSSecurityExtensionsMapping).
TheRegistryOperatorwillcalculateandinsertthederivedDSresourcerecords.
3.5. MethodtoprovepossessionofprivatekeyTheRegistryOperatordoesnotconductanycontrolswiththeaimofvalidatingtheRegistrantasthemanagerofaprivatekey.TheRegistrarisresponsibleforconductingthecontrolsthatarerequiredandthosedeemednecessary.
3.6. RemovalofDSresourcerecordADSrecordisderegisteredbysendingarequestfromtheRegistrartotheRegistryOperator.ThederegistrationofallDSrecordswilldeactivatetheDNSSECsecuritymechanismforthezoneinquestion.
3.6.1. AuthoritytorequestderegistrationOnlytheRegistrant,orthepartyformallydesignatedbytheRegistrantbyassigningeithertheTechCorAdminCrole,hastheauthoritytorequestderegistrationoftheDSrecords.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page11of22
3.6.2. DeregistrationprocedureTheRegistrantortheRegistrant’srepresentativeintheformofTechCorAdminCtaskstheRegistrarwithimplementingthederegistration.TheRegistrarmayonlydothisonbehalfoftheRegistrant.FromthetimethederegistrationrequesthasbeenreceivedbytheRegistryOperatorviaEPP,ittakesnolongerthanuntilthenextzonegenerationforthechangetoberecordedinthezonefile.
Subsequently,ittakesuptotwotimestheTTLplusthedistributiontimebeforethechangeshavebeendeployed.Thewholeproceduremaytakeamaximumoffivehourstocomplete.
4. Facility,Management,andOperationalControls
4.1. PhysicalControlsTheRegistryOperatorhasimplementedphysicalsecuritycontrolstomeettherequirementsspecifiedinthisDPS.
4.1.1. SitelocationandconstructionTheRegistryOperatoroperatesmultiplesitesintheBenelux,atleast25kilometersapart.TheredundantfacilitycontainsacompletesetoftheRegistry’scriticalsystems,whoseinformationiscontinuouslyupdatedthroughautomaticreplicationofthenormaloperationsfacility.Allofthesystemscomponentsareprotectedwithinaphysicalperimeterwithanaccesscontrolandalarmsystem.
Thebackupoperationsfacilitymeetstheminimumstandardsappliedtothenormalfacilityintermsofphysicalsecurity,powersupply,environmentandfireandwaterprotection.
4.1.2. PhysicalaccessAllofourfacilitieshaverestrictedaccess,limitedtoauthorizedpersonnel.
4.1.3. PowerandAirConditioningAllfacilitieshaveUninterruptiblePowerSupply(UPS)capabilitiesandairconditioning.Theexternaldatacentersiteshaveredundantsystemsinplaceintheeventofapowerfailure.
4.1.4. WaterExposureToavoidtheriskofwaterexposure,allofourfacilitiesareonelevatedfloorswellabovegroundlevel.
4.1.5. FirePreventionandProtectionAllfacilitieshavefiredetectorsandgasextinguishers.
4.1.6. MediaStorageSensitivemediaisstoredinasafewhichisonlyaccessiblebytheRegistryOperator’sSeniorManagementandspecificallydesignatedpersonnel.
4.1.7. WasteDisposalSensitivedocumentsandmaterialsareshreddedbeforedisposal.Mediausedtocollectortransmitsensitiveinformationisrenderedunreadablebeforedisposal.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page12of22
4.1.8. Off-siteBack-upSignerbackupsarestoredonourstoragesystemsspreadacrossallofourdatacenters.
4.2. ProceduralControls4.2.1. TrustedRolesTrustedrolesareheldbypersonsthatareabletoaffectthezonefile’scontent,orthegenerationoruseofprivatekeys.Thetrustedrolesare:
• System&NetworkAdministrator
• SecurityOfficer,SO
4.2.2. NumberofpersonsrequiredpertaskAtanygiventime,theremustbeatleasttwoindividualswithintheorganizationpertrustedroleindicatedin4.2.1.
Signersystemactivationrequirestwopeopletobepresent;onefromeachrole.
Keygenerationrequirestwopeopletobepresent;onefromeachrole.
Theexportandcontroloftrustanchorsrequirestwopeopletobepresent;onefromeachrole.
Noneoftheaforementionedoperationsmaybeperformedinthepresenceofunauthorizedpeople.
4.2.3. IdentificationandauthorizationofpeopleintrustedrolesOnlypeoplewhohavesignedaconfidentialityagreementandanagreementtoacknowledgetheirresponsibilitieswiththeRegistryOperatormayholdatrustedrole.Beforeapersonreceivestheircredentialsforsystemaccess,avalidformofidentificationmustbepresented.Referto4.3.2.
4.2.4. SeparationofDutiesThetrustedrolesin4.2.1abovemaynotbeheldsimultaneouslybyoneandthesameperson.TheseparationofdutiesisforcedbytheSecurityOfficernothavingexclusivephysicalaccesstotheoperationalfacilities,andtheNetwork&SystemAdministratornothavingaccesstotheactivationmaterialofthesignersystem.
4.3. PersonnelControls 4.3.1. Qualifications,experienceandclearancerequirementsEngineerstakingpartintheTrustedRoleshavemusthavethequalificationsnecessaryfortheDNSengineerjobrole.
4.3.2. BackgroundchecksTheevaluationofbackgroundchecksisconductedatthetimeofhiringtheengineer.
4.3.3. TrainingRequirementsShouldanewteambeformed,thisteamwillhavetoobserveatleastoneregularkeyroll-overwithanexistingteam.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page13of22
4.3.4. JobRotationFrequencyandSequenceTheresponsibilityforconductingoperationsisrotatedoneachoccasionbetweenthepeoplewhoholdatrustedrole.
4.3.5. ContractingPersonnelRequirementsNopersonoutsideofthespecifiedTrustedRolescangetaccesstothesignersystems.Ifnecessary,ateamcanperformcertaintaskswiththeguidanceofanexternalcontractor.Atnotimeisthecontractorallowedtobethepersonperformingthetasksonthesystem.
4.3.6. DocumentationSuppliedtoPersonnelTheregularproceduresforbackupandrestoreareavailabletoallpersonnelinvolved.Ifmajoralterationstothoseproceduresaremade,theengineersofthoseteamswillbeinformedaccordingly.
4.4. AuditLoggingProceduresLoggingisautomaticallycarriedoutandinvolvesthecontinuouscollectionofinformationregardingtheactivitiesthattakeplaceinanITsystem.Thisloginformationisusedinthemonitoringofoperations,forstatisticalpurposesandforinvestigationpurposesinsuspectedcasesofviolationof.SE’spoliciesandregulations.
Logginginformationalsoincludesthejournals,checklistsandotherpaperdocumentsthatarevitaltosecurityandthatarerequiredforauditing.
Thepurposeofthecollectedloginformationistobeabletoreconstructthecaseafter-the-factandanalyzewhichpeopleorapplications/systemsdidwhatandatwhattime.Loggingandtheidentificationofusersenablessuchfeaturesastraceabilityandthefollow-upofunauthorizeduse.
4.4.1. TypesofEventsRecordedPhysicalaccesstothefacilitiesusedforoursigningsystemsisloggedautomaticallyonenterandexit.Themainoperationsiterequirespersonneltobespecificallygrantedpermissiontoenterthesuiteinwhichtheequipmentislocatedandtheywillhavetosign-inusingavalididentification(passport,driverslicense,etc.).
Logmessagesfromthesignersystemswillbesentsecurelytoaloggingsystemandrecordedforauditpurposes.
4.4.2. FrequencyofcontrolofloginformationLogsarecontinuouslyanalyzedthroughautomatedandmanualcontrols.Specificcontrolsareconductedonprocessesincludingkeygeneration,systemrebootsanddetectedanomalies.
4.4.3. RetentionperiodforloginformationLoginformationisstoredinlogsystemsfornotlessthan30days.Thereafter,theloginformationisarchivedfornotlessthantenyears.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page14of22
4.4.4. ProtectionofAuditLogAuditlogsofourmainoperationsitearestoredatbothoperationsfacilitiesatthesametime.Theloggingsystemisprotectedagainstunauthorizedviewingandthemanipulationofinformation. 4.4.5. SecuritybackupsofloginformationAllelectronicloginformationissecurelybackeduponamonthlybasisandisstoredseparatelyfromthesysteminasecurelocation.Allpaper-basedloginformationisscannedandelectronicallytransferredtobothfacilities.
4.4.6. Log-informationcollectionsystemElectronicloginformationistransferredinreal-timetothecollectionsystems;oneforeachfacilityandexternaltothekeygeneratingsystem.Manuallogsarerecordedonpaper,scanned,andmanuallytransferredtothecollectionsystemonamonthlybasis.Theoriginaldocumentsarearchivedinafireproofsafe.
4.4.7. Notificationtoevent-causingsubjectPersonnelcausinganeventtobeloggedwillnotbenotifiedthatsuchloggingistakingplacenorwilltheybeentitledtoreviewthelogdata.
4.4.8. VulnerabilityassessmentsAllanomaliesintheloginformationareinvestigatedtoanalyzepotentialvulnerabilities.
4.5. CompromiseandDisasterRecovery4.5.1. IncidentmanagementAllrealandperceivedeventsofasecurity-criticalnaturethatcausedorcouldhavecausedanoutage,damagetotheITsystem,disruptionsanddefectsduetoincorrectinformationorsecuritybreachesaredefinedasincidents.
AllincidentsarehandledinaccordancewiththeRegistry’sincidenthandlingprocedures.Theincidenthandlingprocedureincludesinvestigatingthecauseoftheincident,whateffectstheincidenthashadormayhavehad,measurestopreventtheincidentfromrecurringandformstofurtherreportthisinformation.
Anincidentthatinvolvessuspicionthataprivatekeyhasbeencompromisedleadstotheimmediaterolloverofkeyspursuanttotheproceduresindicatedinchapter4.5.3.
4.5.2. Corruptedequipment,softwareorinformationIntheeventofcorruption,theincidentmanagementproceduresshallbeinitiatedandappropriatemeasuresshallbetaken.
4.5.3. EntityPrivateKeyCompromiseProceduresUponthesuspectedorknowncompromiseofakey,wewillassessthesituation,developandimplementanactionplanwithapprovalfromtheSecurityOfficerandSeniorManagement.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page15of22
• Ifazonesigningkeyissuspectedofhavingbeencompromised,itwillimmediatelyberemovedfromproductionandstoppedbeingused.Ifnecessary,anewZSKwillbegeneratedandtheoldkeywillberemovedfromthekeysetassoonasitssignatureshaveexpiredortimedout.
• IfaKSKissuspectedofhavingbeencompromised,anewkeywillbegeneratedandputintoimmediateuse,inparallelwiththeoldkey.TheoldKSKwillremaininplaceandbeusedtosignkeysetsuntilsuchtimeasitcanbeconsideredsufficientlysafetoremovethekeytakingintoaccounttheriskforsystemdisruptionsinrelationtotheriskthatthecompromisedkeypresents.
4.5.4. ContingencyplanTheRegistryOperatorhasacontingencyplanthatensuresthatoperation-criticalproductioncanberelocatedbetweenthetwooperationfacilitieswithinfourhours.Thefacilitiesareequivalentintermsofphysicalandlogisticalprotection.Informationisreplicatedbetweenthefacilities.Frequentlyusedsparecomponentsandcriticalhardwarecomponentsarestoredonsiteineachoperationsfacility.
Thecontingencyplanandroutinesareregularlytested.Thecompletedtestsandtrialsarerecordedandsubsequentlyevaluated.
Thecontingencyplanincludes:
•Whodecidesontheactivationofanemergencyrecoveryprocedure;
•Howandwherethecrisismanagementshallconvene;
•Activationofbackupoperations;
•AppointmentofaTaskManager;
•Criteriaforrestoringnormaloperations.
4.5.5. EntityterminationIftheRegistryOperatormustdiscontinueDNSSECfortheRegistryzoneforanyreasonandreturntoanunsignedposition,thiswilltakeplaceinanorderlymannerinwhichthegeneralpublicwillbeinformed.Ifoperationsaretobetransferredtoanotherparty,theRegistrywillparticipateinthetransitionsoastomakeitassmoothaspossible.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page16of22
5. TechnicalSecurityControls
5.1. KeyPairGenerationandInstallation
5.1.1. KeyPairGenerationKeygenerationtakesplaceonasigningsystemthatismanagedbytrainedandspecificallyappointedpersonnelintrustedroles.
Keygenerationtakesplacewhennecessaryandmustbeperformedbytwopeopleworkinginunison.Thesepeoplearepresentduringtheentireoperation.
Theentirekey-generationprocedureislogged,partofwhichisdoneelectronicallyandpartofwhichisdonemanuallyonpaperbytheSecurityOfficer.
5.1.2. PublicKeyDeliveryThepubliccomponentofeachgeneratedKSKisexportedfromthesigningsystemandverifiedbytheSecurityOfficerandNetwork&SystemAdministrator.TheSecurityOfficerisresponsibleforpublishingthepubliccomponentoftheKSKinasecuremannerasper2.1.TheNetwork&SystemAdministratorisresponsibleforensuringthatthekeysthatarepublishedarethesameasthosethatweregenerated.
5.1.3. QualitycontrolofkeyparametersKeyparametersareregularlyreviewedandqualitycontrolincludescheckingthekeylength.
5.1.4. KeyUsagePurposesKeysgeneratedforDNSSECareneverusedforanyotherpurposeoroutsidethesigningsystem.AsignaturecreatedbyaDNSSECkeyhasamaximumvalidityperiodof90daysfortheZSKandof1yearfortheKSK,startingfromthetimethesignatureisproduced.
5.2. PrivateKeyProtectionandCryptographicModuleEngineeringControlsAllcryptographicoperationsareperformedonthesigningsystemandnoprivatekeysareeverfoundunprotectedoutsideit.
5.2.1. CryptographicModuleStandardsandControlsThesigningsystemusedforsigningthezonesisusingFIPS140-2Level2-certifiedflashdrivesforstart-upandprivatekeybackup. 5.2.2. PrivateKey(m-of-n)Multi-personControlNoaccesstounencryptedkeysisavailableintheentiresystem.AccesstothesignersystemisspecifiedintheTrustedRolessection.
5.2.3. KeyescrowTheRegistrydoesnotapplyakeyescrow.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page17of22
5.2.4. PrivateKeyBackupThekeyarchiveisencryptedwithaStorageMasterKey(SMK).ThekeyarchiveandtheSMKarestoredonaportablestoragemedium(FIPS140-2Level2-certifiedflashdrives)inabankvault,whichcanonlybeaccessedbyaSecurityOfficer.
Keysarestoredinanencryptedformatonthesigningmodule’sharddrive.Theencryptedkeyarchiveissecurelybackedupandsynchronizedbetweentheoperationsfacilitiesimmediatelyafterkeygeneration.
5.2.5. PrivateKeyArchivalPrivatekeyscanberestoredfromtheback-upsspecifiedabove.Privatekeysarenotarchivedonthesignersystemoncetheyhavebeenrevoked.
5.2.6. PrivateKeyTransferIntoorFromaCryptographicModulePrivatekeyscanonlybetransferredoffthesysteminencryptedformandrestoredontotheback-upsystembytheteamsdescribedintheTrustedRolessection.
5.2.7. StorageinacryptographicsecuritymoduleTheStorageMasterKey(SMK)issharedbyallsecuritymodulesinthesystem.Thismasterkeyisusedtodecryptthekeyarchivethatisstoredoutsidethesecuritymodulewhiledeactivated.
5.2.8. MethodforactivatingprivatekeysPrivatekeysareactivatedbyunlockingthesigningsystem.AnSAprovidesanSOwithaccesstothefacility.TheSecurityOfficerstatesapersonalpassphraseforthesigningsystemthroughaconsole.
5.2.9. MethodfordeactivationofprivatekeysThesigningsystemislockedafterthesystemiseitherturnedofforrebooted.
5.2.10. DestructionofprivatekeysPrivatekeysarenotdestructed.Aftertheirusefullife,theyareremovedfromthesigningsystem.
5.3. OtherAspectsofKeyPairManagement
5.3.1. PublicKeyArchivalPublickeysarearchivedinaccordancewiththearchivingofotherinformationrelevanttotraceabilityinthesystem,suchaslogdata.
5.3.2. KeyUsagePeriodKeysbecomeinvalidastheyaretakenoutofproduction.Oldkeysarenotreused.
5.3.3. ActivationdataTheactivationdataisthepersonalpassphraseforeachSecurityOfficerthatisusedtoactivatethesigningsystem.
5.3.4. GenerationandinstallationofactivationdataEachSecurityOfficerisresponsibleforcreatingtheirownactivationdatapursuanttotheapplicablerequirementsofatleastninecharactersofvaryingnature.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page18of22
5.3.5. ProtectionofactivationdataEachSecurityOfficerisresponsibleforprotectingtheiractivationdatainthebestpossibleway.Onthesuspicionofcompromisedactivationdata,theSecurityOfficermustimmediatelychangeit.
5.3.6. OtheraspectsofactivationdataIntheeventofanemergency,thereisasealedandtamperevidentenvelopeinasecurelocationthatcontainsactivationinformationwithinstructionsonappointinganEmergencySecurityOfficer(ESO).TheDNSSECcontingencyplanproceduresstatetheconditionsinwhichthisshallbeapplied.
5.4. ComputerSecurityControlsAllcriticalcomponentsoftheRegistry’ssystemsareplacedintheorganizationssecurefacilitiesinaccordancewith4.1.Accesstotheserver’soperatingsystemsislimitedtoindividualsthatrequirethisfortheirwork,meaningNetwork&SystemAdministrators.Allaccessisloggedandistraceableattheindividuallevel.
5.5. NetworkSecurityControlsSystemsholdingthesigninginfrastructureareinsideadedicatedVLANinsideournetworkinfrastructure.Theonlycommunicationschanneltothosesystemsisthroughourfirewall,whichislimitedtotheminimalcapabilitiesnecessaryfortheoperationofthesystem.Allsensitiveinformationthatistransferredoverthecommunicationsnetworkisalwaysprotectedbystrongencryption.
5.6. TimestampingThesignersystemssecurelysynchronizetheirsystemclockswithatrustedtimesourceinsideournetwork.
5.7. LifeCycleTechnicalControls
5.7.1. SystemdevelopmentcontrolsAllsourcecodeisstoredinaversioncontrolsystem.Thesourcecodearchiveisregularlybackedupandcopiesarestoredseparatelyinafireproofsafe.
Thedevelopmentmodelisbasedonindustrystandardsandincludes:
•Fullyfunctionalspecificationanddocumentedsecurityrequirements;
•Documentedarchitecturaldesignbasedonanaturalmodularizationofthesystem;
•Continuouspursuitofminimizingcomplexity;
•Systematicandautomatedtestingandregressiontests;
•Issuingofdistinctsoftwareversions;
•Constantqualityfollow-upsofdetecteddefects.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page19of22
5.7.2. SystemmanagementcontrolsAuthorizationregistersarekeptandfollowedupregularly.TheRegistryOperatoralsoconductsregularsecurityauditsofthesystem.TheRegistrypreparesandmaintainsasystemsecurityplanthatisbasedonrecurringriskanalysis.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page20of22
6. ZoneSigning
6.1. KeyLengthsandAlgorithmsKeylengthsandalgorithmsaretobeofsufficientlengthfortheirdesignatedpurposeduringeachkey’susefullife.
AlgorithmsshallbestandardizedbytheIETF,availabletothepublicandresourceefficientforallpartiesinvolved.
TheRSAalgorithmwithakeylengthof2048bitsiscurrentlyusedforKSKand1024bitsforZSK.
6.2. AuthenticatedDenialofExistenceAuthenticateddenialofexistencewillbeprovidedthroughtheuseofNSEC3recordsasspecifiedinRFC5155.
6.3. SignatureFormatSignaturesarecreatedwiththeRSASHA1-NSEC3-SHA1algorithm.
6.4. ZoneSigningKeyRoll-over(ZSK)TheRegistrywillrolltheZSKwithapre-publishingschemeasdescribedinRFC4641,section4.2.1.1.
6.5. KeySigningKeyRoll-over(KSK)TheRegistrywillrolltheKSKwithadouble-signingschemeasdescribedinRFC4641,section4.2.1.2.
6.6. SignatureLife-timeandRe-signingFrequencyRRsetsaresignedwithZSKswithasignaturelifetimeof90days.Resigningtakesplaceeveryday.
6.7. VerificationofzonesigningkeysetToensuresignaturesandthevalidityperiodofkeys,securitycontrolsareconductedagainsttheDNSKEYpriortopublishingzoneinformationontheInternet.ThisisdonebyverifyingthechainfromDSintheparentzonetoKSK,ZSKandthesignatureovertheRegistry’sSOA.
6.8. VerificationofresourcerecordsTheRegistryOperatorverifiesthatallresourcerecordsarevalidinaccordancewiththecurrentstandardspriortodistribution.
6.9. ResourceRecordsTime-to-live(TTL)• DNSKEY : EqualtotheTTLusedfortheSOArecord• NSEC3 : EqualtotheminimumfieldoftheSOArecord• RRSIG : EqualtothelowestTTLoftherecordsetcovered• DS : EqualtotheTTLoftheNSRRset
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page21of22
7. ComplianceAuditAuditeddocuments(policy,procedures,requirements),informationregardingfactsorotherinformationthatisrelevantinconsiderationoftheauditcriteriaandthatisverifiableareusedasdocumentationwhenconductingaudits.
7.1. FrequencyofentitycomplianceauditTheneedofauditsisdecidedbytheRegistryOperator.Circumstanceswhichmayentailanauditrequirementare:
•Recurringanomalies;
•Significantchangesthataremadeatthemanagementlevel,intheorganizationorinprocesses;
•Othercircumstances,suchasthecompetenceamongpersonnel,newequipmentorothermajorchanges;
7.2. QualificationsofauditorTheauditorshallbeabletodemonstrateproficiencyinITsecurity,DNSandDNSSEC.
7.3. Auditor'srelationshiptotheauditedpartyAnexternalauditingmanagershallbeappointedfortheaudit.Whennecessary,theauditingmanagershallbeabletorecruitspecificexpertknowledge.Theauditingmanagerisresponsibleforimplementationduringtheentireaudit.
7.4. TopicscoveredbyauditTheauditingmanager’sassignmentincludesensuringthat:
•TherightcompetencerepresentstheRegistry;
•Theauditeeisinformedandpreparedpriortotheaudit;
•Theauditeeisinformedofthetopicoftheauditinadvance;
•Follow-upproceduresoftheauditresultsareinplace;
7.5. ActionstakenasresultofdeficiencyTheauditingmanagershallimmediatelyverballyinformtheRegistryOperator’smanagementofanyanomalies.
7.6. CommunicationofresultsTheauditingmanagershallsubmitawrittenreportoftheauditresultstotheRegistryOperatornotlaterthan30calendardaysaftertheaudit.
DNSSecPolicy&PracticeStatement
Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)
Confidential Page22of22
8. LegalMatters
8.1. FeesTheRegistrydoesnotchargeanyfeesforDNSSECfromRegistrars.
8.2. Privacyofpersonalinformation
8.2.1. ResponsibilitytoprotectpersonalinformationThisisregulatedbytheRegistryOperator’sRegistrationtermsandconditionsandbyagreementbetweentheRegistryOperatorandtheRegistrar.
8.2.2. DisclosureofpersonalinformationtojudicialauthoritiesConsideringthefactthatthegTLDinquestionissubjecttoSpecification13,whereanyandalldomainnamesareregisteredinthenameoftheRegistryOperatororitsAffiliates.ReferenceismadetothetermsandconditionsforregisteringdomainnamesintheTLD,asprovidedtoICANNinthecontextofRegistryOperator’srequestforSpecification13.
8.3. LimitationsofliabilityAstheTLDisoperatedinaccordancewithSpecification13,DeutschePostAG(anditsaffiliates)asregistrant(s)areunlikelytoincurdamagesastheresultofissueswithdomainnamesithasregistereditselfintheTLD.
8.4. Termandtermination
8.4.1. ValidityperiodThisDPSappliesuntilfurthernotice.
8.4.2. ExpirationofvalidityThisDPSisvaliduntilitisreplacedwithanupdatedornewversionasstatedinsection1.4.3.
8.4.3. DisputeresolutionReferenceismadetothetermsandconditionsforregisteringdomainnamesintheTLD,asprovidedtoICANNinthecontextofRegistryOperator’srequestforSpecification13.
8.4.4. GoverninglawTheoperationofthisRegistryisgovernedbythelawsofGermany.