Document control Document information and security · Document control Document information and security CONDUCTED BY RESPONSIBLE FOR FACTS RESPONSIBLE FOR DOCUMENT SECURITY OFFICER

DNSSecPolicy&PracticeStatement

Date:19/03/2012Version:FINALforApplication1-1075-2496(.epost)

Confidential Page1of22

Documentcontrol

Documentinformationandsecurity

CONDUCTEDBY RESPONSIBLEFORFACTS RESPONSIBLEFORDOCUMENT

SECURITYOFFICER SECURITYOFFICER SECURITYOFFICER

Approvedby

DATE NAME FUNCTION

SECURITYOFFICER

Audits

DATE VERSION NAME DESCRIPTION




TableofContentTableofContent 2

1. Introduction 6

1.1. Overview 6

1.2. Documentnameandidentification 6

1.3. CommunityandApplicability 6

1.3.1. Registry 6

1.3.2. Registrar 7

1.3.3. Registrant 7

1.3.4. Applicability 7

1.4. SpecificationAdministration 7

1.4.1. Specificationadministrationorganisation 7

1.4.2. ContactInformation 7

1.4.3. SpecificationChangeProcedures 8

2. PublicationandRepositories 9

2.1. Repositories 9

2.2. PublicationofKeySigningKeys(KSK) 9

2.3. Accesscontrol 9

3. OperationalRequirements 10

3.1. Meaningofdomainnames 10

3.2. ActivationofDNSSECforchildzone 10

3.3. Identificationandauthenticationofchild-zonemanager 10

3.4. Registrationofdelegationsigner(DS)resourcerecords 10

3.5. Methodtoprovepossessionofprivatekey 10

3.6. RemovalofDSresourcerecord 10

3.6.1. Authoritytorequestderegistration 10

3.6.2. Deregistrationprocedure 11

4. Facility,Management,andOperationalControls 11

4.1. PhysicalControls 11

4.1.1. Sitelocationandconstruction 11

4.1.2. Physicalaccess 11

4.1.3. PowerandAirConditioning 11

4.1.4. WaterExposure 11

4.1.5. FirePreventionandProtection 11




4.1.6. MediaStorage 11

4.1.7. WasteDisposal 11

4.2. ProceduralControls 12

4.2.1. TrustedRoles 12

4.2.2. Numberofpersonsrequiredpertask 12

4.2.3. Identificationandauthorizationofpeopleintrustedroles 12

4.2.4. SeparationofDuties 12

4.3. PersonnelControls 12

4.3.1. Qualifications,experienceandclearancerequirements 12

4.3.2. Backgroundchecks 12

4.3.3. TrainingRequirements 12

4.3.4. JobRotationFrequencyandSequence 13

4.3.5. ContractingPersonnelRequirements 13

4.3.6. DocumentationSuppliedtoPersonnel 13

4.4. AuditLoggingProcedures 13

4.4.1. TypesofEventsRecorded 13

4.4.2. Frequencyofcontrolofloginformation 13

4.4.3. Retentionperiodforloginformation 13

4.4.4. ProtectionofAuditLog 14

4.4.5. Securitybackupsofloginformation 14

4.4.6. Log-informationcollectionsystem 14

4.4.7. Notificationtoevent-causingsubject 14

4.4.8. Vulnerabilityassessments 14

4.5. CompromiseandDisasterRecovery 14

4.5.1. Incidentmanagement 14

4.5.2. Corruptedequipment,softwareorinformation 14

4.5.3. EntityPrivateKeyCompromiseProcedures 14

4.5.4. Contingencyplan 15

4.5.5. Entitytermination 15

5. TechnicalSecurityControls 16

5.1. KeyPairGenerationandInstallation 16

5.1.1. KeyPairGeneration 16

5.1.2. PublicKeyDelivery 16

5.1.3. Qualitycontrolofkeyparameters 16




5.1.4. KeyUsagePurposes 16

5.2. PrivateKeyProtectionandCryptographicModuleEngineeringControls 16

5.2.1. CryptographicModuleStandardsandControls 16

5.2.2. PrivateKey(m-of-n)Multi-personControl 16

5.2.3. Keyescrow 16

5.2.4. PrivateKeyBackup 17

5.2.5. PrivateKeyArchival 17

5.2.6. PrivateKeyTransferIntoorFromaCryptographicModule 17

5.2.7. Storageinacryptographicsecuritymodule 17

5.2.8. Methodforactivatingprivatekeys 17

5.2.9. Methodfordeactivationofprivatekeys 17

5.2.10. Destructionofprivatekeys 17

5.3. OtherAspectsofKeyPairManagement 17

5.3.1. PublicKeyArchival 17

5.3.2. KeyUsagePeriod 17

5.3.3. Activationdata 17

5.3.4. Generationandinstallationofactivationdata 17

5.3.5. Protectionofactivationdata 18

5.3.6. Otheraspectsofactivationdata 18

5.4. ComputerSecurityControls 18

5.5. NetworkSecurityControls 18

5.6. Timestamping 18

5.7. LifeCycleTechnicalControls 18

5.7.1. Systemdevelopmentcontrols 18

5.7.2. Systemmanagementcontrols 19

6. ZoneSigning 20

6.1. KeyLengthsandAlgorithms 20

6.2. AuthenticatedDenialofExistence 20

6.3. SignatureFormat 20

6.4. ZoneSigningKeyRoll-over(ZSK) 20

6.5. KeySigningKeyRoll-over(KSK) 20

6.6. SignatureLife-timeandRe-signingFrequency 20

6.7. Verificationofzonesigningkeyset 20

6.8. Verificationofresourcerecords 20




6.9. ResourceRecordsTime-to-live(TTL) 20

7. ComplianceAudit 21

7.1. Frequencyofentitycomplianceaudit 21

7.2. Qualificationsofauditor 21

7.3. Auditor'srelationshiptotheauditedparty 21

7.4. Topicscoveredbyaudit 21

7.5. Actionstakenasresultofdeficiency 21

7.6. Communicationofresults 21

8. LegalMatters 22

8.1. Fees 22

8.2. Privacyofpersonalinformation 22

8.2.1. Responsibilitytoprotectpersonalinformation 22

8.2.2. Disclosureofpersonalinformationtojudicialauthorities 22

8.3. Limitationsofliability 22

8.4. Termandtermination 22

8.4.1. Validityperiod 22

8.4.2. Expirationofvalidity 22

8.4.3. Disputeresolution 22

8.4.4. Governinglaw 22




1. IntroductionThisdocumentistheRegistryOperator’sstatementofsecuritypracticesandprovisionthatareappliedinconjunctionwithDNSSecurityExtensions(DNSSEC)inthegTLDtop-leveldomain.ThisdocumentconformstotheRFC-draftDNSSECPolicy&PracticeStatementFramework(currentdraft:http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-dps-framework-05).TheDPSisoneofseveraldocumentsrelevanttotheoperationoftheRegistryzone.Anotherrelevantdocumentisthebusinesscontingencyplan.

1.1. OverviewThepurposeofthisdocumentistoenablestakeholderstodeterminetheleveloftrusttheywishtogranttotheRegistry’sDNSSECmanagement.ItdetailstheproceduresandpoliciesemployedbytheRegistryOperatorinoperatingtheRegistryzone.

DNSSECisasetofrecordsandprotocolmodificationsthatenabletheauthenticationofDNSdataandalsomakeitpossibletoensurethatcontenthasnotbeenmodifiedduringtransfer,includingmechanismsforauthenticateddenialofexistence.ResourcerecordssecuredwithDNSSECarecryptographicallysignedandincorporateasymmetriccryptographyintheDNShierarchy,wherebytrustfollowsthesamechainastheDNStree,meaningthattrustoriginatesfromtherootandisdelegatedinthesamewayastheownershipofadomain.

1.2. Documentnameandidentification DNSSECPolicyandPracticeStatementorshortDPS.

1.3. CommunityandApplicability TheRegistryfollowsaRegistry–Registrar–Registrantmodel.Inthismodel,theownerofazone(Registrant)andtheoperatoroftheparentzone(RegistryOperator)areconnectedthroughanintermediary(Registrar).

1.3.1. RegistryOperatorTheRegistryOperatorisresponsiblefortheadministrationofthedomainnamesintheRegistryzone.ThismeansthattheRegistryOperatormanagesaddition,changesandremovalofalldatathatisrelatedtoadomainnameintheRegistry.

ForDNSSEC,theRegistryOperatorisresponsibleforgeneratingkeypairsandprotectingtheconfidentialityoftheprivatecomponentoftheKeySigningKeys(KSK)andZoneSigningKeys(ZSK)andformakingitspublickeysavailabletothegeneralpublic.TheRegistryOperatorisalsoresponsibleforsigningallauthoritativeDNSresourcerecordsintheRegistryzoneinasecuremanner.

FinallytheRegistryOperatorisresponsiblefortheregistrationandmaintenanceofDSresourcerecordsintherootzone.




1.3.2. RegistrarARegistraristhepartythatisresponsiblefortheadministrationandmanagementofdomainnamesofbehalfoftheRegistrant.TheRegistrarhandlestheregistration,maintenanceandmanagementofaRegistrantsdomainnameandisanaccreditedICANNregistrar.

TheRegistrarisresponsibleforsecurelyidentifyingtheRegistrantofadomain.TheRegistrarisresponsibleforadding,removingorupdatingspecifiedDNSKEYrecordsforeachdomainattherequestoftheRegistrant.

1.3.3. RegistrantARegistrantisthephysicalorlegalentitythatcontrolsadomainname.Registrantsareresponsibleforgeneratingandprotectingtheirownkeys,andregisteringandmaintainingtheDNSKEYrecordsthroughtheRegistrar.

TheRegistrantisresponsibleforissuinganemergencykeyrolloverifkeysaresuspectedofbeingcompromisedorhavebeenlost.

1.3.4. ApplicabilityEachRegistrantisresponsiblefordeterminingtherelevantlevelofsecurityfortheirdomain.ThisDPSisexclusivelyapplicabletothetop-levelRegistrydomainanddescribestheproceduresandsecuritycontrolsandpracticesapplicablewhenmanagingandemployingkeysandsignaturesforRegistry’ssigningoftheRegistryzone.

1.4. SpecificationAdministration ThisDPSwillbeperiodicallyreviewedandupdated,asappropriate.

1.4.1. Specificationadministrationorganisation

Theadministratorof.epostDPSisDeutschePostAG

1.4.2. ContactInformation

DeutschePostAGCharles-de-Gaulle-Straße2053113BonnGermany

Phone+4922818296701Fax+4922818296799Email [email protected]




1.4.3. SpecificationChangeProceduresAnychangetothisdocumentneedstobesignedoffbyaSeniorManageroftheRegistryOperator,andtheSecurityOfficeroftheRegistryServiceProvider.

OnlythemostrecentversionofthisDPSisapplicable.




2. PublicationandRepositories

2.1. RepositoriesDNSSECrelevantinformationispublishedviatheRegistryOperator'ssecuredwebsite.

2.2. PublicationofKeySigningKeys(KSK)TheRegistryOperatorwillpublishitsKeySigningKeys(KSKs)intwoformats:

• Directlyintherootzone(onlyDSresourcerecords)

• OntheRegistry'swebsite,intheDNSKEYFormat

2.3. AccesscontrolInformationpublishedatthespecificwebsiteisavailabletothegeneralpublicandisprotectedagainstunauthorizedadding,deletionormodificationofthecontentonthewebsite.

Thepublicpartoftheregistry’skeySigningKeyissignedwiththeRegistry’sofficialPGP-key,whichmaybefoundattheRegistryOperator’ssecuredwebsite.




3. OperationalRequirements

3.1. MeaningofdomainnamesAdomainnameisauniqueidentifier,whichisoftenassociatedwithservicessuchaswebhostingore-mail.Applicationforregistryunderthetop-levelRegistrydomainislimitedtotheRegistryOperator.

3.2. ActivationofDNSSECforchildzoneDNSSECisactivatedbyatleastoneKeySigningKey(KSK)DNSKEYrecordforthezonebeingsentfromtheRegistrartotheRegistryOperatorandthusbeingpublishedintheDNS,whichestablishedachainoftrusttothechildzone.TheRegistryOperatorwillcalculateandupdatetherelatedDSresourcerecords.

Duringthepre-delegationchecks,wewillensurethattheDNSKEYrecordsprovidedareavailableasDNSKEYrecordsattheapexofthechildzoneforalldelegatednameservers.WewillalsocheckiftheseDNSKEYsareproperlysigned.

3.3. Identificationandauthenticationofchild-zonemanagerItistheresponsibilityoftheRegistrartosecurelyidentifyandauthenticatetheRegistrantthroughasuitablemechanism,andincompliancewiththestipulationsinthecontractbetweentheRegistryOperatorandtheRegistrar.

3.4. Registrationofdelegationsigner(DS)resourcerecordsTheRegistryOperatoracceptsDNSKEYrecordsthroughtheEPPinterfacefromtheRegistrar.TheDNSKEYrecordmustbevalidandsentintheformatindicatedinRFC5910(EPPDNSSecurityExtensionsMapping).

TheRegistryOperatorwillcalculateandinsertthederivedDSresourcerecords.

3.5. MethodtoprovepossessionofprivatekeyTheRegistryOperatordoesnotconductanycontrolswiththeaimofvalidatingtheRegistrantasthemanagerofaprivatekey.TheRegistrarisresponsibleforconductingthecontrolsthatarerequiredandthosedeemednecessary.

3.6. RemovalofDSresourcerecordADSrecordisderegisteredbysendingarequestfromtheRegistrartotheRegistryOperator.ThederegistrationofallDSrecordswilldeactivatetheDNSSECsecuritymechanismforthezoneinquestion.

3.6.1. AuthoritytorequestderegistrationOnlytheRegistrant,orthepartyformallydesignatedbytheRegistrantbyassigningeithertheTechCorAdminCrole,hastheauthoritytorequestderegistrationoftheDSrecords.




3.6.2. DeregistrationprocedureTheRegistrantortheRegistrant’srepresentativeintheformofTechCorAdminCtaskstheRegistrarwithimplementingthederegistration.TheRegistrarmayonlydothisonbehalfoftheRegistrant.FromthetimethederegistrationrequesthasbeenreceivedbytheRegistryOperatorviaEPP,ittakesnolongerthanuntilthenextzonegenerationforthechangetoberecordedinthezonefile.

Subsequently,ittakesuptotwotimestheTTLplusthedistributiontimebeforethechangeshavebeendeployed.Thewholeproceduremaytakeamaximumoffivehourstocomplete.

4. Facility,Management,andOperationalControls

4.1. PhysicalControlsTheRegistryOperatorhasimplementedphysicalsecuritycontrolstomeettherequirementsspecifiedinthisDPS.

4.1.1. SitelocationandconstructionTheRegistryOperatoroperatesmultiplesitesintheBenelux,atleast25kilometersapart.TheredundantfacilitycontainsacompletesetoftheRegistry’scriticalsystems,whoseinformationiscontinuouslyupdatedthroughautomaticreplicationofthenormaloperationsfacility.Allofthesystemscomponentsareprotectedwithinaphysicalperimeterwithanaccesscontrolandalarmsystem.

Thebackupoperationsfacilitymeetstheminimumstandardsappliedtothenormalfacilityintermsofphysicalsecurity,powersupply,environmentandfireandwaterprotection.

4.1.2. PhysicalaccessAllofourfacilitieshaverestrictedaccess,limitedtoauthorizedpersonnel.

4.1.3. PowerandAirConditioningAllfacilitieshaveUninterruptiblePowerSupply(UPS)capabilitiesandairconditioning.Theexternaldatacentersiteshaveredundantsystemsinplaceintheeventofapowerfailure.

4.1.4. WaterExposureToavoidtheriskofwaterexposure,allofourfacilitiesareonelevatedfloorswellabovegroundlevel.

4.1.5. FirePreventionandProtectionAllfacilitieshavefiredetectorsandgasextinguishers.

4.1.6. MediaStorageSensitivemediaisstoredinasafewhichisonlyaccessiblebytheRegistryOperator’sSeniorManagementandspecificallydesignatedpersonnel.

4.1.7. WasteDisposalSensitivedocumentsandmaterialsareshreddedbeforedisposal.Mediausedtocollectortransmitsensitiveinformationisrenderedunreadablebeforedisposal.




4.1.8. Off-siteBack-upSignerbackupsarestoredonourstoragesystemsspreadacrossallofourdatacenters.

4.2. ProceduralControls4.2.1. TrustedRolesTrustedrolesareheldbypersonsthatareabletoaffectthezonefile’scontent,orthegenerationoruseofprivatekeys.Thetrustedrolesare:

• System&NetworkAdministrator

• SecurityOfficer,SO

4.2.2. NumberofpersonsrequiredpertaskAtanygiventime,theremustbeatleasttwoindividualswithintheorganizationpertrustedroleindicatedin4.2.1.

Signersystemactivationrequirestwopeopletobepresent;onefromeachrole.

Keygenerationrequirestwopeopletobepresent;onefromeachrole.

Theexportandcontroloftrustanchorsrequirestwopeopletobepresent;onefromeachrole.

Noneoftheaforementionedoperationsmaybeperformedinthepresenceofunauthorizedpeople.

4.2.3. IdentificationandauthorizationofpeopleintrustedrolesOnlypeoplewhohavesignedaconfidentialityagreementandanagreementtoacknowledgetheirresponsibilitieswiththeRegistryOperatormayholdatrustedrole.Beforeapersonreceivestheircredentialsforsystemaccess,avalidformofidentificationmustbepresented.Referto4.3.2.

4.2.4. SeparationofDutiesThetrustedrolesin4.2.1abovemaynotbeheldsimultaneouslybyoneandthesameperson.TheseparationofdutiesisforcedbytheSecurityOfficernothavingexclusivephysicalaccesstotheoperationalfacilities,andtheNetwork&SystemAdministratornothavingaccesstotheactivationmaterialofthesignersystem.

4.3. PersonnelControls 4.3.1. Qualifications,experienceandclearancerequirementsEngineerstakingpartintheTrustedRoleshavemusthavethequalificationsnecessaryfortheDNSengineerjobrole.

4.3.2. BackgroundchecksTheevaluationofbackgroundchecksisconductedatthetimeofhiringtheengineer.

4.3.3. TrainingRequirementsShouldanewteambeformed,thisteamwillhavetoobserveatleastoneregularkeyroll-overwithanexistingteam.




4.3.4. JobRotationFrequencyandSequenceTheresponsibilityforconductingoperationsisrotatedoneachoccasionbetweenthepeoplewhoholdatrustedrole.

4.3.5. ContractingPersonnelRequirementsNopersonoutsideofthespecifiedTrustedRolescangetaccesstothesignersystems.Ifnecessary,ateamcanperformcertaintaskswiththeguidanceofanexternalcontractor.Atnotimeisthecontractorallowedtobethepersonperformingthetasksonthesystem.

4.3.6. DocumentationSuppliedtoPersonnelTheregularproceduresforbackupandrestoreareavailabletoallpersonnelinvolved.Ifmajoralterationstothoseproceduresaremade,theengineersofthoseteamswillbeinformedaccordingly.

4.4. AuditLoggingProceduresLoggingisautomaticallycarriedoutandinvolvesthecontinuouscollectionofinformationregardingtheactivitiesthattakeplaceinanITsystem.Thisloginformationisusedinthemonitoringofoperations,forstatisticalpurposesandforinvestigationpurposesinsuspectedcasesofviolationof.SE’spoliciesandregulations.

Logginginformationalsoincludesthejournals,checklistsandotherpaperdocumentsthatarevitaltosecurityandthatarerequiredforauditing.

Thepurposeofthecollectedloginformationistobeabletoreconstructthecaseafter-the-factandanalyzewhichpeopleorapplications/systemsdidwhatandatwhattime.Loggingandtheidentificationofusersenablessuchfeaturesastraceabilityandthefollow-upofunauthorizeduse.

4.4.1. TypesofEventsRecordedPhysicalaccesstothefacilitiesusedforoursigningsystemsisloggedautomaticallyonenterandexit.Themainoperationsiterequirespersonneltobespecificallygrantedpermissiontoenterthesuiteinwhichtheequipmentislocatedandtheywillhavetosign-inusingavalididentification(passport,driverslicense,etc.).

Logmessagesfromthesignersystemswillbesentsecurelytoaloggingsystemandrecordedforauditpurposes.

4.4.2. FrequencyofcontrolofloginformationLogsarecontinuouslyanalyzedthroughautomatedandmanualcontrols.Specificcontrolsareconductedonprocessesincludingkeygeneration,systemrebootsanddetectedanomalies.

4.4.3. RetentionperiodforloginformationLoginformationisstoredinlogsystemsfornotlessthan30days.Thereafter,theloginformationisarchivedfornotlessthantenyears.




4.4.4. ProtectionofAuditLogAuditlogsofourmainoperationsitearestoredatbothoperationsfacilitiesatthesametime.Theloggingsystemisprotectedagainstunauthorizedviewingandthemanipulationofinformation. 4.4.5. SecuritybackupsofloginformationAllelectronicloginformationissecurelybackeduponamonthlybasisandisstoredseparatelyfromthesysteminasecurelocation.Allpaper-basedloginformationisscannedandelectronicallytransferredtobothfacilities.

4.4.6. Log-informationcollectionsystemElectronicloginformationistransferredinreal-timetothecollectionsystems;oneforeachfacilityandexternaltothekeygeneratingsystem.Manuallogsarerecordedonpaper,scanned,andmanuallytransferredtothecollectionsystemonamonthlybasis.Theoriginaldocumentsarearchivedinafireproofsafe.

4.4.7. Notificationtoevent-causingsubjectPersonnelcausinganeventtobeloggedwillnotbenotifiedthatsuchloggingistakingplacenorwilltheybeentitledtoreviewthelogdata.

4.4.8. VulnerabilityassessmentsAllanomaliesintheloginformationareinvestigatedtoanalyzepotentialvulnerabilities.

4.5. CompromiseandDisasterRecovery4.5.1. IncidentmanagementAllrealandperceivedeventsofasecurity-criticalnaturethatcausedorcouldhavecausedanoutage,damagetotheITsystem,disruptionsanddefectsduetoincorrectinformationorsecuritybreachesaredefinedasincidents.

AllincidentsarehandledinaccordancewiththeRegistry’sincidenthandlingprocedures.Theincidenthandlingprocedureincludesinvestigatingthecauseoftheincident,whateffectstheincidenthashadormayhavehad,measurestopreventtheincidentfromrecurringandformstofurtherreportthisinformation.

Anincidentthatinvolvessuspicionthataprivatekeyhasbeencompromisedleadstotheimmediaterolloverofkeyspursuanttotheproceduresindicatedinchapter4.5.3.

4.5.2. Corruptedequipment,softwareorinformationIntheeventofcorruption,theincidentmanagementproceduresshallbeinitiatedandappropriatemeasuresshallbetaken.

4.5.3. EntityPrivateKeyCompromiseProceduresUponthesuspectedorknowncompromiseofakey,wewillassessthesituation,developandimplementanactionplanwithapprovalfromtheSecurityOfficerandSeniorManagement.




• Ifazonesigningkeyissuspectedofhavingbeencompromised,itwillimmediatelyberemovedfromproductionandstoppedbeingused.Ifnecessary,anewZSKwillbegeneratedandtheoldkeywillberemovedfromthekeysetassoonasitssignatureshaveexpiredortimedout.

• IfaKSKissuspectedofhavingbeencompromised,anewkeywillbegeneratedandputintoimmediateuse,inparallelwiththeoldkey.TheoldKSKwillremaininplaceandbeusedtosignkeysetsuntilsuchtimeasitcanbeconsideredsufficientlysafetoremovethekeytakingintoaccounttheriskforsystemdisruptionsinrelationtotheriskthatthecompromisedkeypresents.

4.5.4. ContingencyplanTheRegistryOperatorhasacontingencyplanthatensuresthatoperation-criticalproductioncanberelocatedbetweenthetwooperationfacilitieswithinfourhours.Thefacilitiesareequivalentintermsofphysicalandlogisticalprotection.Informationisreplicatedbetweenthefacilities.Frequentlyusedsparecomponentsandcriticalhardwarecomponentsarestoredonsiteineachoperationsfacility.

Thecontingencyplanandroutinesareregularlytested.Thecompletedtestsandtrialsarerecordedandsubsequentlyevaluated.

Thecontingencyplanincludes:

•Whodecidesontheactivationofanemergencyrecoveryprocedure;

•Howandwherethecrisismanagementshallconvene;

•Activationofbackupoperations;

•AppointmentofaTaskManager;

•Criteriaforrestoringnormaloperations.

4.5.5. EntityterminationIftheRegistryOperatormustdiscontinueDNSSECfortheRegistryzoneforanyreasonandreturntoanunsignedposition,thiswilltakeplaceinanorderlymannerinwhichthegeneralpublicwillbeinformed.Ifoperationsaretobetransferredtoanotherparty,theRegistrywillparticipateinthetransitionsoastomakeitassmoothaspossible.




5. TechnicalSecurityControls

5.1. KeyPairGenerationandInstallation

5.1.1. KeyPairGenerationKeygenerationtakesplaceonasigningsystemthatismanagedbytrainedandspecificallyappointedpersonnelintrustedroles.

Keygenerationtakesplacewhennecessaryandmustbeperformedbytwopeopleworkinginunison.Thesepeoplearepresentduringtheentireoperation.

Theentirekey-generationprocedureislogged,partofwhichisdoneelectronicallyandpartofwhichisdonemanuallyonpaperbytheSecurityOfficer.

5.1.2. PublicKeyDeliveryThepubliccomponentofeachgeneratedKSKisexportedfromthesigningsystemandverifiedbytheSecurityOfficerandNetwork&SystemAdministrator.TheSecurityOfficerisresponsibleforpublishingthepubliccomponentoftheKSKinasecuremannerasper2.1.TheNetwork&SystemAdministratorisresponsibleforensuringthatthekeysthatarepublishedarethesameasthosethatweregenerated.

5.1.3. QualitycontrolofkeyparametersKeyparametersareregularlyreviewedandqualitycontrolincludescheckingthekeylength.

5.1.4. KeyUsagePurposesKeysgeneratedforDNSSECareneverusedforanyotherpurposeoroutsidethesigningsystem.AsignaturecreatedbyaDNSSECkeyhasamaximumvalidityperiodof90daysfortheZSKandof1yearfortheKSK,startingfromthetimethesignatureisproduced.

5.2. PrivateKeyProtectionandCryptographicModuleEngineeringControlsAllcryptographicoperationsareperformedonthesigningsystemandnoprivatekeysareeverfoundunprotectedoutsideit.

5.2.1. CryptographicModuleStandardsandControlsThesigningsystemusedforsigningthezonesisusingFIPS140-2Level2-certifiedflashdrivesforstart-upandprivatekeybackup. 5.2.2. PrivateKey(m-of-n)Multi-personControlNoaccesstounencryptedkeysisavailableintheentiresystem.AccesstothesignersystemisspecifiedintheTrustedRolessection.

5.2.3. KeyescrowTheRegistrydoesnotapplyakeyescrow.




5.2.4. PrivateKeyBackupThekeyarchiveisencryptedwithaStorageMasterKey(SMK).ThekeyarchiveandtheSMKarestoredonaportablestoragemedium(FIPS140-2Level2-certifiedflashdrives)inabankvault,whichcanonlybeaccessedbyaSecurityOfficer.

Keysarestoredinanencryptedformatonthesigningmodule’sharddrive.Theencryptedkeyarchiveissecurelybackedupandsynchronizedbetweentheoperationsfacilitiesimmediatelyafterkeygeneration.

5.2.5. PrivateKeyArchivalPrivatekeyscanberestoredfromtheback-upsspecifiedabove.Privatekeysarenotarchivedonthesignersystemoncetheyhavebeenrevoked.

5.2.6. PrivateKeyTransferIntoorFromaCryptographicModulePrivatekeyscanonlybetransferredoffthesysteminencryptedformandrestoredontotheback-upsystembytheteamsdescribedintheTrustedRolessection.

5.2.7. StorageinacryptographicsecuritymoduleTheStorageMasterKey(SMK)issharedbyallsecuritymodulesinthesystem.Thismasterkeyisusedtodecryptthekeyarchivethatisstoredoutsidethesecuritymodulewhiledeactivated.

5.2.8. MethodforactivatingprivatekeysPrivatekeysareactivatedbyunlockingthesigningsystem.AnSAprovidesanSOwithaccesstothefacility.TheSecurityOfficerstatesapersonalpassphraseforthesigningsystemthroughaconsole.

5.2.9. MethodfordeactivationofprivatekeysThesigningsystemislockedafterthesystemiseitherturnedofforrebooted.

5.2.10. DestructionofprivatekeysPrivatekeysarenotdestructed.Aftertheirusefullife,theyareremovedfromthesigningsystem.

5.3. OtherAspectsofKeyPairManagement

5.3.1. PublicKeyArchivalPublickeysarearchivedinaccordancewiththearchivingofotherinformationrelevanttotraceabilityinthesystem,suchaslogdata.

5.3.2. KeyUsagePeriodKeysbecomeinvalidastheyaretakenoutofproduction.Oldkeysarenotreused.

5.3.3. ActivationdataTheactivationdataisthepersonalpassphraseforeachSecurityOfficerthatisusedtoactivatethesigningsystem.

5.3.4. GenerationandinstallationofactivationdataEachSecurityOfficerisresponsibleforcreatingtheirownactivationdatapursuanttotheapplicablerequirementsofatleastninecharactersofvaryingnature.




5.3.5. ProtectionofactivationdataEachSecurityOfficerisresponsibleforprotectingtheiractivationdatainthebestpossibleway.Onthesuspicionofcompromisedactivationdata,theSecurityOfficermustimmediatelychangeit.

5.3.6. OtheraspectsofactivationdataIntheeventofanemergency,thereisasealedandtamperevidentenvelopeinasecurelocationthatcontainsactivationinformationwithinstructionsonappointinganEmergencySecurityOfficer(ESO).TheDNSSECcontingencyplanproceduresstatetheconditionsinwhichthisshallbeapplied.

5.4. ComputerSecurityControlsAllcriticalcomponentsoftheRegistry’ssystemsareplacedintheorganizationssecurefacilitiesinaccordancewith4.1.Accesstotheserver’soperatingsystemsislimitedtoindividualsthatrequirethisfortheirwork,meaningNetwork&SystemAdministrators.Allaccessisloggedandistraceableattheindividuallevel.

5.5. NetworkSecurityControlsSystemsholdingthesigninginfrastructureareinsideadedicatedVLANinsideournetworkinfrastructure.Theonlycommunicationschanneltothosesystemsisthroughourfirewall,whichislimitedtotheminimalcapabilitiesnecessaryfortheoperationofthesystem.Allsensitiveinformationthatistransferredoverthecommunicationsnetworkisalwaysprotectedbystrongencryption.

5.6. TimestampingThesignersystemssecurelysynchronizetheirsystemclockswithatrustedtimesourceinsideournetwork.

5.7. LifeCycleTechnicalControls

5.7.1. SystemdevelopmentcontrolsAllsourcecodeisstoredinaversioncontrolsystem.Thesourcecodearchiveisregularlybackedupandcopiesarestoredseparatelyinafireproofsafe.

Thedevelopmentmodelisbasedonindustrystandardsandincludes:

•Fullyfunctionalspecificationanddocumentedsecurityrequirements;

•Documentedarchitecturaldesignbasedonanaturalmodularizationofthesystem;

•Continuouspursuitofminimizingcomplexity;

•Systematicandautomatedtestingandregressiontests;

•Issuingofdistinctsoftwareversions;

•Constantqualityfollow-upsofdetecteddefects.




5.7.2. SystemmanagementcontrolsAuthorizationregistersarekeptandfollowedupregularly.TheRegistryOperatoralsoconductsregularsecurityauditsofthesystem.TheRegistrypreparesandmaintainsasystemsecurityplanthatisbasedonrecurringriskanalysis.




6. ZoneSigning

6.1. KeyLengthsandAlgorithmsKeylengthsandalgorithmsaretobeofsufficientlengthfortheirdesignatedpurposeduringeachkey’susefullife.

AlgorithmsshallbestandardizedbytheIETF,availabletothepublicandresourceefficientforallpartiesinvolved.

TheRSAalgorithmwithakeylengthof2048bitsiscurrentlyusedforKSKand1024bitsforZSK.

6.2. AuthenticatedDenialofExistenceAuthenticateddenialofexistencewillbeprovidedthroughtheuseofNSEC3recordsasspecifiedinRFC5155.

6.3. SignatureFormatSignaturesarecreatedwiththeRSASHA1-NSEC3-SHA1algorithm.

6.4. ZoneSigningKeyRoll-over(ZSK)TheRegistrywillrolltheZSKwithapre-publishingschemeasdescribedinRFC4641,section4.2.1.1.

6.5. KeySigningKeyRoll-over(KSK)TheRegistrywillrolltheKSKwithadouble-signingschemeasdescribedinRFC4641,section4.2.1.2.

6.6. SignatureLife-timeandRe-signingFrequencyRRsetsaresignedwithZSKswithasignaturelifetimeof90days.Resigningtakesplaceeveryday.

6.7. VerificationofzonesigningkeysetToensuresignaturesandthevalidityperiodofkeys,securitycontrolsareconductedagainsttheDNSKEYpriortopublishingzoneinformationontheInternet.ThisisdonebyverifyingthechainfromDSintheparentzonetoKSK,ZSKandthesignatureovertheRegistry’sSOA.

6.8. VerificationofresourcerecordsTheRegistryOperatorverifiesthatallresourcerecordsarevalidinaccordancewiththecurrentstandardspriortodistribution.

6.9. ResourceRecordsTime-to-live(TTL)• DNSKEY : EqualtotheTTLusedfortheSOArecord• NSEC3 : EqualtotheminimumfieldoftheSOArecord• RRSIG : EqualtothelowestTTLoftherecordsetcovered• DS : EqualtotheTTLoftheNSRRset




7. ComplianceAuditAuditeddocuments(policy,procedures,requirements),informationregardingfactsorotherinformationthatisrelevantinconsiderationoftheauditcriteriaandthatisverifiableareusedasdocumentationwhenconductingaudits.

7.1. FrequencyofentitycomplianceauditTheneedofauditsisdecidedbytheRegistryOperator.Circumstanceswhichmayentailanauditrequirementare:

•Recurringanomalies;

•Significantchangesthataremadeatthemanagementlevel,intheorganizationorinprocesses;

•Othercircumstances,suchasthecompetenceamongpersonnel,newequipmentorothermajorchanges;

7.2. QualificationsofauditorTheauditorshallbeabletodemonstrateproficiencyinITsecurity,DNSandDNSSEC.

7.3. Auditor'srelationshiptotheauditedpartyAnexternalauditingmanagershallbeappointedfortheaudit.Whennecessary,theauditingmanagershallbeabletorecruitspecificexpertknowledge.Theauditingmanagerisresponsibleforimplementationduringtheentireaudit.

7.4. TopicscoveredbyauditTheauditingmanager’sassignmentincludesensuringthat:

•TherightcompetencerepresentstheRegistry;

•Theauditeeisinformedandpreparedpriortotheaudit;

•Theauditeeisinformedofthetopicoftheauditinadvance;

•Follow-upproceduresoftheauditresultsareinplace;

7.5. ActionstakenasresultofdeficiencyTheauditingmanagershallimmediatelyverballyinformtheRegistryOperator’smanagementofanyanomalies.

7.6. CommunicationofresultsTheauditingmanagershallsubmitawrittenreportoftheauditresultstotheRegistryOperatornotlaterthan30calendardaysaftertheaudit.




8. LegalMatters

8.1. FeesTheRegistrydoesnotchargeanyfeesforDNSSECfromRegistrars.

8.2. Privacyofpersonalinformation

8.2.1. ResponsibilitytoprotectpersonalinformationThisisregulatedbytheRegistryOperator’sRegistrationtermsandconditionsandbyagreementbetweentheRegistryOperatorandtheRegistrar.

8.2.2. DisclosureofpersonalinformationtojudicialauthoritiesConsideringthefactthatthegTLDinquestionissubjecttoSpecification13,whereanyandalldomainnamesareregisteredinthenameoftheRegistryOperatororitsAffiliates.ReferenceismadetothetermsandconditionsforregisteringdomainnamesintheTLD,asprovidedtoICANNinthecontextofRegistryOperator’srequestforSpecification13.

8.3. LimitationsofliabilityAstheTLDisoperatedinaccordancewithSpecification13,DeutschePostAG(anditsaffiliates)asregistrant(s)areunlikelytoincurdamagesastheresultofissueswithdomainnamesithasregistereditselfintheTLD.

8.4. Termandtermination

8.4.1. ValidityperiodThisDPSappliesuntilfurthernotice.

8.4.2. ExpirationofvalidityThisDPSisvaliduntilitisreplacedwithanupdatedornewversionasstatedinsection1.4.3.

8.4.3. DisputeresolutionReferenceismadetothetermsandconditionsforregisteringdomainnamesintheTLD,asprovidedtoICANNinthecontextofRegistryOperator’srequestforSpecification13.

8.4.4. GoverninglawTheoperationofthisRegistryisgovernedbythelawsofGermany.

Documents

Document control Document information and security · Document control Document information and security CONDUCTED BY RESPONSIBLE FOR FACTS RESPONSIBLE FOR DOCUMENT SECURITY OFFICER