XN--P1AI (РФ) DNSSEC Policy and Practice Statement
|
|
- Megan McCormick
- 8 years ago
- Views:
Transcription
1 XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement... 1 INTRODUCTION... 2 Overview... 2 Document name and identification... 2 Community and Applicability... 2 Registry... 2 Registrar... 3 Registrant... 3 Relying party... 3 Applicability... 3 Specification Administration... 3 Specification administration organization... 3 Contact Information... 3 Specification change procedures... 3 PUBLICATION AND REPOSITORIES... 3 Repositories... 3 Publication of key signing keys... 4 Access controls on repositories... 4 OPERATIONAL REQUIREMENTS... 4 Activation of DNSSEC for child zone... 4 Identification and authentication of child zone manager... 4 Registration of delegation signer (DS) resource records... 4 Method to prove possession of private key... 4 Removal of DS record... 4 FACILITY, MANAGEMENT AND OPERATIONAL CONTROLS... 4 Physical Controls... 4 Site location and construction... 4 Physical access... 4 Power and air conditioning... 5 Water exposures... 5 Fire prevention and protection... 5 Media storage... 5 Waste disposal... 5 Off-site backup... 5 Procedural Controls... 5 Personnel Controls... 5 Qualifications, experience, and clearance requirements... 5 Training requirements... 5 Retraining frequency and requirements... 6 Documentation Supplied to Personnel... 6 Audit Logging Procedures... 6 Compromise and Disaster Recovery... 6 TECHNICAL SECURITY CONTROLS... 6 Key Pair Generation and Installation... 6 Key pair generation... 6 Public key delivery... 6 Public key parameters generation and quality checking... 6 Key usage purposes... 6 Private key protection and Cryptographic Module Engineering Controls... 7 Private key (m-of-n) multi-person control... 7
2 Private key backup... 7 Private key archival... 7 Private key transfer into or from a cryptographic Module... 7 Method of activating private key... 7 Method of deactivating private key... 7 Method of destroying private key... 7 Other Aspects of Key Pair Management... 7 Public key archival... 7 Key usage periods... 7 Activation data... 8 Activation data generation and installation... 8 Activation data protection... 8 Other aspects of activation data... 8 Computer Security Controls... 8 Network Security Controls... 8 Timestamping... 8 Life Cycle Technical Controls... 8 System development controls... 8 Security management controls... 8 Life cycle security controls... 8 ZONE SIGNING... 9 Key lengths and algorithms... 9 Authenticated denial of existence... 9 Signature format... 9 Zone signing key roll-over... 9 Key signing key roll-over... 9 Signature life-time and re-signing frequency... 9 Verification of zone signing key set... 9 Verification of resource records... 9 Resource records time-to-live... 9 COMPLIANCE AUDIT... 9 LEGAL MATTERS... 9 INTRODUCTION Overview The present document describes procedures and measures undertaken to implement DNSSEC in the XN P1AI (РФ) TLD. Document name and identification DNSSEC Policy and Practice Statement, or DPS. Community and Applicability Registry The TLD Registry Operator bears responsibility for the Internet s top-level domain. The Registry Operator has powers to design domain names registration rules in the TLD, including the DNSSEC policy implementation procedures, as well as to manage and operate the KSK keys.
3 The Registry Operator will outsource Full Registry Solution to an external subcontractor, namely, JSC Technical Center Internet (hereinafter referred to as Registry Service Provider). The Registry Service Provider s duties will encompass maintenance of the registry database and SRS. Registry Service Provider is responsible for validation and processing of DNSSEC data received from an accredited registrar, formation and signing of the TLD zone file, management and operation of the ZSK keys, and distribution of the signed zone across the appropriate DNS servers. Registrar A Registrar is the party responsible for administration and management of domain names on of behalf of the Registrant. Accredited registrars are responsible for checking the attribution of a KSK key to a domain name administrator. Registrant A Registrant is a physical or legal entity that controls a domain name. Guided by their needs, registrants of domain names in the TLD introduce necessary changes via accredited registrars. TLD Registry Operator is not responsible for the accuracy of registrant s domain zone signing, as well as for the actuality of public keys placed in the Registry system in the form of DS records. Relying party The relying party is the entity relying on DNSSEC such as validating resolvers and other applications. The relying party is responsible for configuring and updating the appropriate trust anchors. Applicability This DPS is applied to the XN P1AI (РФ) TLD zone. It describes procedures and measures undertaken to implement DNSSEC in the XN P1AI (РФ) TLD. Registrant Zones are subject to Registrant's policy and do not fall under the scope of the present document. Specification Administration This document will be periodically revised and updated, where necessary. Specification administration organization The Technical Center of Internet, JSC Contact Information Russia, Moscow, Zoologicheskaya str., 8 Specification change procedures Any change to this document needs to be signed off by a senior IT-security engineer. PUBLICATION AND REPOSITORIES Repositories The Registry Service Provider publishes DNSSEC-relevant information on the official website at The electronic version of this DPS at this specific address is the official version thereof.
4 Publication of key signing keys The Registry Service Provider composes a chain of trust of DNSSEC by publishing public KSKs in the form of DS record directly in the root zone. Access controls on repositories Information published at the specific website is available to general public and is protected from unauthorized additions, deletion or modification of thecontent on the website. It is highly recommended that you validate the SSL certificate of the Registry Service Provider website. OPERATIONAL REQUIREMENTS Activation of DNSSEC for child zone DNSSEC is activated by at least one DS record and the corresponding DNSKEY record for the child zone sent from the Registrar to the Registry Service Provider. The Registry Service Provider presumes that the DS record is correct by performing the following tests: digest algorithm checkup, digest checkup and key tag checkup. Once the checkups have been passed and the zone has been delegated, the DS record is published in the DNS, which established a chain of trust to the child zone. Identification and authentication of child zone manager It is the responsibility of the Registrar to securely identify and authenticate the Registrant through a suitable mechanism. Registration of delegation signer (DS) resource records The Registry Service Provider accepts DNSKEY records and corresponding DS records through the EPP interface from each Registrar. The DS and DNSKEY records must be valid and sent in the format indicated in RFC The TLD Registry Database supports placement of DS records generated in accordance with RFC 4034 and RFC Method to prove possession of private key The Registry Service Provider does not conduct any controls with the aim of validating the Registrant as the private key manager. The Registrar is responsible for conducting suitable controls. Removal of DS record A DS record is removed by sending a request from the Registrar to the Registry Service Provider through the EPP interface. The removal of all DS records will deactivate the DNSSEC mechanism for the Registrant s zone. Only the Registrant, or the party formally designated by the Registrant, has the authority to request removal of the DS records. FACILITY, MANAGEMENT AND OPERATIONAL CONTROLS Physical Controls Site location and construction The Registry Service Provider operates several sites in the Russia. These include secure cabinets in data centres, safe room in the Registry Service Provider office and a backup site. Physical access All of our facilities have restricted access, limited to authorized personnel.
5 Power and air conditioning All facilities have UPS capabilities and air conditioning. The external data centre sites have redundant systems in place in the event of a power failure. Water exposures The Registry Service Provider has taken reasonable precautions to minimize the impact of water exposure to the signer systems. Fire prevention and protection All of our facilities have fire detectors and gas extinguishers. Media storage Sensitive media are stored in a safe which is only accessible by authorized personnel. Waste disposal Sensitive documents and materials are shredded before disposal. Media used to collect or transmit sensitive information are rendered unreadable before disposal. Off-site backup The Registry Service Provider performs routine backups of critical system data. Off-site backup media are stored in a physically secure manner at remote location. Procedural Controls To operate the private KSKs there have been established two staff roles, namely, Crypto Officer and Crypto Operator, each providing for at least two authorized individuals to act in this capacity. Each person has his/her own authentication token and a password to access it. Operating the private KSKs requires at least two Crypto Officer s and one Crypto Operator s authentication tokens. Under no circumstances may the staffer deployed to operate the private KSKs combine the roles of Crypto Officer and Crypto Operator. To operate the private ZSK there has been established a staff role, namely, the Domain Zone Administrator, which provides for at least two individuals with the respective authority. To control and manage ZSKs in a semi-automatic mode at least one authorized individual is required. Another role is the External Observer, which provides for at least two individuals with the respective authority. External Observer controls the exercise of operational procedures with regard to the private KSK. Personnel Controls Qualifications, experience, and clearance requirements The personnel for the aforementioned trusted staff roles are employees of the Registry Service Provider or any other officers specifically approved by the Registry Operator. They must have expertise in the DNSSEC technology application area. Training requirements New staff engaged in the exercise of the above roles must study the internal policy documentation describing the DNSSEC functioning. They should also participate in DNSSEC procedures as External Observers.
6 Retraining frequency and requirements The Registry Service Provider periodically examines the necessity of staff retraining. Retraining is provided as necessary. Documentation Supplied to Personnel The regular procedures documentation is available to all the personnel involved. Audit Logging Procedures Each fact of accessing the specially assigned area for operating the DNSSEC cryptographic information is recorded in the automated system. In those zones where automation is impossible, facts of access thereto are documented in special journals. Journals and saved logs in the automated access system are regularly reviewed and analyzed. The periodicity of evaluation is determined by the security audit procedure. While evaluating the journals in question, a strict division of roles between person (s) who conduct the evaluation and those whose actions are subject to monitoring is ensured. Compromise and Disaster Recovery Somewhere an event has resulted or may result in a security breach, an internal inquiry is conducted to detect causes behind the incident and to remedy them. If such an event compromises the DNSSEC cryptographic information, an emergency key rollover shall be launched, with the Crypto Operator initiating the emergency key rollover procedure. When an emergency roll-over is performed for a compromised key, the Registry Service Provider s will continue to operate this key for at least a minimum time to complete emergency roll-over. TECHNICAL SECURITY CONTROLS Key Pair Generation and Installation Key pair generation New KSKs are generated and stored on a specialized device, Hardware Secure Module (HSM), which has no connection to the network infrastructure. All cryptographic operations requiring private KSK are performed with this device or with an equivalent one, which is used as back-up one. For the sake of backup, the private KSK may leave the device only in the encrypted form. New ZSKs are generated and stored on a DNSSEC signer server, which is connected to the TLD Registry Database s internal network infrastructure. All cryptographic operations requiring the private ZSK are performed with this device or with an equivalent one, which is used as backup one. The private ZSK can leave this device only in an encrypted form for the sake of backup. Public key delivery Public KSK is distributed to relying parties by means of DNS protocol. Public key parameters generation and quality checking Key parameters and quality control are regulated by the Registry Service Provider. Key usage purposes The Registry Service Provider uses signing keys only for generating signatures for the TLD zone.
7 Private key protection and Cryptographic Module Engineering Controls Private key (m-of-n) multi-person control Operations involving private KSK are performed by Crypto Officers and Crypto Operator as described in Procedural Controls section. The Crypto Officer s authentification tokens contain parts of a password required for activation of the private keys storage media at HSM. To restore the password m-of-n parts are required. Private key backup Backups of private keys are performed. The keys leave the devices only in the encrypted form. The Private KSK is kept in the encrypted form in an off-site safe which can only be accessed by Crypto Operator and decrypted by Crypto Officers. Backup copy of the private ZSK is stored at the hot-standby DNSSEC signer server which is located a remote site and is included into each registry database backup Private key archival Private keys that are no longer used are kept only as backup copies. Private key transfer into or from a cryptographic Module Private keys can only be transferred from the DNSSEC signer systems in the encrypted form and restored onto the backup system by authorized personnel, as described in Procedural Controls section. Method of activating private key Private KSKs are activated by unlocking the HSM and decrypting the private KSK storage. The Crypto Operator provides the Crypto Officers with access to console of the HSM. The Crypto Officers use authentification tokens to decrypt private KSK storage media at HSM. Private ZSKs are activated by the DNSSEC management interface under the Domain Zone Administrator s control. Method of deactivating private key Once the private KSK has been used it is deactivated immediately. The Private ZSK is stored within the online part of the signing system. It is in active state as long as it is marked as Active. Zone administrator is able to change ZSK s status by means of the DNSSEC management interface. Method of destroying private key Private keys are not subject to destruction. They are removed from the systems in a manner, so that they could not be used again. Other Aspects of Key Pair Management Public key archival Public keys are archived and backed up as a part of a routine backup procedure. Key usage periods KSKs will be rolled over once in thirteen months and ZSKs will be rolled over once in three months. The Registry Operator may change these periods as necessary. Obsolete keys are not reused.
8 Activation data Activation data generation and installation Activation data is a set of passwords for authentification tokens used to activate KSK by Crypto Operators and Crypto Officers (PIN-codes). Activation data protection Crypto Operators and Crypto Officers protect activation data in a sufficiently secure manner. Other aspects of activation data As a part of the emergency operation pattern, the Crypto Officers and the Crypto Operators may hold a copy of the password in individual sealed boxes in a secure location at Registry Service Provider s site. Computer Security Controls All critical components of the Registry Service Provider s systems are placed in secure facilities. Access to the systems is granted to authorized personnel responsible for a certain staff role. All cases of access to critical components are logged. Network Security Controls Systems holding the online part of DNSSEC signing infrastructure are connected to the internal network infrastructure which is logically separated from the Registry Service Provider s production infrastructure. The only communications channel to those systems is through the Registry Service Provider s firewall, which is limited to minimal capabilities necessary to operate the systems. The system holding private KSK has no network connection. Transfer of a Key Signing Request (KSR) to an offline signer system is performed manually using removable media. Timestamping The online DNSSEC signer systems securely synchronize their system clocks with a trusted time source inside our network. For the offline part of DNSSEC signing infrastructure time will be set manually before each KSK-related procedure. Life Cycle Technical Controls System development controls Applications that are developed by the Registry Service Provider can be traced to version control repositories. A third-party s components used on the Registry Service Provider s DNSSEC signer systems are tested and verified for compatibility with the Registry Service Provider s applications in lab environment before being deployed to production systems. Security management controls The Registry Service Provider conducts regular security audits of the systems. Life cycle security controls The signer systems are designed to require minimum maintenance. Updates critical to the security and operations of the signers system will be applied after testing and approval in lab environment.
9 ZONE SIGNING Key lengths and algorithms The algorithm and the key length for signing key that are considered secure by the Registry Service Provider for the usage period are adopted. Current algorithm for both KSK and ZSK is RSA-SHA256 with a key length of 2048 bits used for KSK and 1024bits for ZSK. Authenticated denial of existence For authentication of denial of existence the NSEC3 OPT-OUT mechanism is used [RFC 5155]. Signature format Signatures are generated using RSA with the SHA256 hash [RFC 5702]. Zone signing key roll-over Pre-publication scheme will be applied for ZSK [RFC 4641]. Key signing key roll-over Double-signature scheme will be applied for KSK [RFC 4641]. Signature life-time and re-signing frequency DNSKEY RR set signature life-time is 20 days. Other RR sets signatures life-time is 45 days. The re-signing frequency rate is once in every two hours. Signatures life-time and re-signing frequency can be changed by the Registry Service Provider as necessary. Verification of zone signing key set KSR, which consists of public ZSKs and KSKs, is signed by the Registry Service Provider PGP key. The offline signer system will automatically validate this signature with pre-imported PGP key before accepting the KSR for signing. Verification of resource records The Registry Service Provider verifies that all the resource records are conformant with the protocol standards. Resource records time-to-live TTL of DNSKEY, DS and their corresponding RRSIG is set to (4 days). TTL of NSEC3 and the corresponding RRSIG is set to 3600 (1 hour), which is the same as negative cache value for the zone. Those TTLs can be changed by the Registry Service Provider as necessary. COMPLIANCE AUDIT A regular audit takes place. It is regulated by the internal security audit policy. The audit reports are provided to the Registry Service Provider. Operational improvements are applied as necessary. LEGAL MATTERS The Registry Service Provider has no legal responsibilities for the matters described in this DPS. When operating TLD DNSSEC Service, the Registry Service Provider follows the law of Russian Federation and the rules defined by the Registry Operator.
DNSSEC Policy and Practice Statement.amsterdam
DNSSEC Policy and Practice Statement.amsterdam Contact T +31 26 352 55 00 support@sidn.nl www.sidn.nl Offices Meander 501 6825 MD Arnhem Mailing address Postbus 5022 6802 EA Arnhem May 24, 2016 Public
More informationDNSSEC - Tanzania
DNSSEC Policy & Practice Statement for.tz Zone Version 1.1 Effective Date: January 1, 2013 Tanzania Network Information Centre 14107 LAPF Millenium Towers, Ground Floor, Suite 04 New Bagamoyo Road, Dar
More informationDNSSEC Practice Statement (DPS)
DNSSEC Practice Statement (DPS) 1. Introduction This document, "DNSSEC Practice Statement ( the DPS ) for the zones under management of Zodiac Registry Limited, states ideas of policies and practices with
More informationAmerican International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2
American International Group, Inc. DNS Practice Statement for the AIG Zone Version 0.2 1 Table of contents 1 INTRODUCTION... 6 1.1 Overview...6 1.2 Document Name and Identification...6 1.3 Community and
More informationHow To Use Dnsec
Jakob-Haringer-Str. 8/V Tel.: +43 662 46 69-0 Fax: +43 662 46 69-19 5020 Salzburg, Austria E-Mail:service@nic.at Web: www.nic.at DNSSEC Policy & Practice Statement (DPS) for.at A: Bank Austria Creditanstalt
More informationDNSSEC Policy Statement Version 1.1.0. 1. Introduction. 1.1. Overview. 1.2. Document Name and Identification. 1.3. Community and Applicability
DNSSEC Policy Statement Version 1.1.0 This DNSSEC Practice Statement (DPS) conforms to the template included in RFC 6841. 1. Introduction The approach described here is modelled closely on the corresponding
More informationKSRegistry DNSSEC Policy Statement
KSRegistry DNSSEC Policy Statement 1. INTRODUCTION...5 1.1 Overview...5 1.2 Document name and identification...5 1.3. Community and Applicability...5 1.3.1 Registry...5 1.3.2 Registrars...5 1.3.3 Registrants...6
More informationVerisign DNSSEC Practice Statement for EDU Zone
Verisign DNSSEC Practice Statement for EDU Zone Version 1.4 Effective Date: November 11, 2013 Abstract This document is the DNSSEC Practice Statement for the EDU Zone. It states the practices and provisions
More informationVerisign DNSSEC Practice Statement for TLD/GTLD Zone
Verisign DNSSEC Practice Statement for TLD/GTLD Zone Version 1.0 Effective Date: July 28, 2011 Abstract This document is the DNSSEC Practice Statement for the TLD/GTLD Zone. It states the practices and
More informationDNSSEC Practice Statement
DNSSEC Practice Statement 31 October 2014 Head Office Melbourne, Australia p +61 3 9866 3710 f +61 3 9866 1970 ABN 16 103 729 620 ACN 103 729 620 US Office Los Angeles, United States p +1 213 330 4203
More informationDNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers
DNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers version 1.9., valid since 1 January 2010 Introduction This material lays out operational rules that govern the work of the CZ.NIC association
More informationDNSSEC Practice Statement.OVH
DPS.OVH 11/06/2013 1 DNSSEC Practice Statement.OVH Registry domain signature policy and conditions of implementation (Version 02 11/06/2013) DPS.OVH 11/06/2013 2 Document management Document identification
More informationDNSSEC Root Zone. High Level Technical Architecture
DNSSEC Root Zone Prepared by the Root DNSSEC Design Team Joe Abley David Blacka David Conrad Richard Lamb Matt Larson Fredrik Ljunggren David Knight Tomofumi Okubo Jakob Schlyter Version 1.2.1 October
More informationDNSSEC Root Zone. High Level Technical Architecture
DNSSEC Root Zone Prepared by the Root DNSSEC Design Team Joe Abley David Blacka David Conrad Richard Lamb Matt Larson Fredrik Ljunggren David Knight Tomofumi Okubo Jakob Schlyter Version 1.4 June 7, 2010
More informationDNSSEC Practice Statement for the IE cctld
IE Domain Registry Ltd DNSSEC Practice Statement for the IE cctld Version: 1.0 Date: 29 th November 2014 1 Document Control Document Information and Security CONDUCTED BY RESPONSIBLE FOR FACTS RESPONSIBLE
More informationThis framework is documented under NLnet Labs copyright and is licensed under a Creative Commons Attribution 4.0 International License.
DNSSEC Infrastructure Audit Framework NLnet Labs Document 2013-002 Version 1.0 by Matthijs Mekking (matthijs@nlnetlabs.nl) and Olaf Kolkman (olaf@nlnetlabs.nl) This framework is documented under NLnet
More informationDomain Name System Security Extensions (DNSSEC) Implementation Project. Request for Proposal
Domain Name System Security Extensions (DNSSEC) Implementation Project Request for Proposal Version 1.1 Date: 1 April 2015 Hong Kong Internet Registration Corporation Limited Unit 2002-2005, 20/F FWD Financial
More informationNational Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016
National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy Version 1.1 February 2, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents TABLE OF CONTENTS I 1 INTRODUCTION
More informationDNSSEC in your workflow
DNSSEC in your workflow Presentation roadmap Overview of problem space Architectural changes to allow for DNSSEC deployment Deployment tasks Key maintenance DNS server infrastructure Providing secure delegations
More informationDeploying DNSSEC: From End-Customer To Content
Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical
More informationDanske Bank Group Certificate Policy
Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...
More informationDNSSEC - Why Network Operators Should Care And How To Accelerate Deployment
DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment Dan York, CISSP Senior Content Strategist, Internet Society Eurasia Network Operators' Group (ENOG) 4 Moscow, Russia October
More informationDNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS
AFNIC s Issue Papers DNSSEC Domain Name System Security Extensions 1 - Organisation and operation of the DNS 2 - Cache poisoning attacks 3 - What DNSSEC can do 4 - What DNSSEC cannot do 5 - Using keys
More informationGatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria
Gatekeeper PKI Framework ISBN 1 921182 24 5 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from
More informationOverview of DNSSEC deployment worldwide
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research conducted by EURid in cooperation with industry experts
More informationCertificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr
Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr Version 0.3 August 2002 Online : http://www.urec.cnrs.fr/igc/doc/datagrid-fr.policy.pdf Old versions Version 0.2 :
More informationRoot Zone Signing Proposal
Root Zone Signing Proposal 22 September 2008 !"#$%&'(#)*%++,-.) This document describes VeriSign s proposal for signing the DNS root zone with the DNS Security extensions known as DNSSEC. This proposal
More informationDNSSEC for Everybody: A Beginner s Guide
DNSSEC for Everybody: A Beginner s Guide San Francisco, California 14 March 2011 4:00 to 5:00 p.m. Colonial Room The Schedule 2 This is Ugwina. She lives in a cave on the edge of the Grand Canyon... This
More informationCERTIFICATION PRACTICE STATEMENT UPDATE
CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.
More informationNeutralus Certification Practices Statement
Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX...1 1.0 INTRODUCTION...3 1.1 Overview...3 1.2 Policy Identification...3 1.3 Community & Applicability...3 1.4 Contact Details...3
More informationEDU DNSSEC Testbed. Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network
EDU DNSSEC Testbed Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network Internet2 Joint Techs Conference Salt Lake City, Utah February 2nd 2010 1 DNSSEC DNS Security Extensions A system
More informationDNS at NLnet Labs. Matthijs Mekking
DNS at NLnet Labs Matthijs Mekking Topics NLnet Labs DNS DNSSEC Recent events NLnet Internet Provider until 1997 The first internet backbone in Holland Funding research and software projects that aid the
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationDNSSEC Applying cryptography to the Domain Name System
DNSSEC Applying cryptography to the Domain Name System Gijs van den Broek Graduate Intern at SURFnet Overview First half: Introduction to DNS Attacks on DNS Second half: DNSSEC Questions: please ask! DNSSEC
More informationA Review of Administrative Tools for DNSSEC Spring 2010
Page 1 (29) Andreas Nilsson Certezza AB Stockholm 2010-05-31 A Review of Administrative Tools for DNSSEC Spring 2010 Kornhamnstorg 61, 2 tr SE-111 27 Stockholm Sweden Telefon: +46 (0)8 791 92 00 Telefon:
More informationDNSSEC. Key Maintenance Analysis. by Jelte Jansen
DNSSEC Key Maintenance Analysis by Jelte Jansen DNSSEC Key Maintenance Analysis Jelte Jansen, NLnet Labs http://www.nlnetlabs.nl NLnet Labs document 2008-002 version 1.0 September 11, 2008 jelte@nlnetlabs.nl
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationRough Outline. Introduction Why DNSSEC DNSSEC Theory Famous last words. http://www.nlnetlabs.nl/ Universiteit van Amsterdam, Sep 2006.
page 2 Rough Outline An introduction to DNSSEC Olaf Kolkman 21 September 2006 Stichting (www.nlnetlabs.nl) Introduction Why DNSSEC DNSSEC Theory Famous last words page 3 DNSSEC evangineers of the day Olaf:
More informationCentralNic Privacy Policy Last Updated: July 31, 2012 Page 1 of 12. CentralNic. Version 1.0. July 31, 2012. https://www.centralnic.
CentralNic Privacy Policy Last Updated: July 31, 2012 Page 1 of 12 CentralNic Privacy Policy Version 1.0 July 31, 2012 https://www.centralnic.com/ CentralNic Privacy Policy Last Updated: February 6, 2012
More informationDNSSEC Deployment a case study
DNSSEC Deployment a case study Olaf M. Kolkman Olaf@NLnetLabs.nl RIPE NCCs Project Team: Katie Petrusha, Brett Carr, Cagri Coltekin, Adrian Bedford, Arno Meulenkamp, and Henk Uijterwaal Januari 17, 2006
More informationTR-GRID CERTIFICATION AUTHORITY
TR-GRID CERTIFICATION AUTHORITY CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT Version 2.1 January, 2009 Table of Contents: TABLE OF CONTENTS:...2 1. INTRODUCTION...7 1.1 OVERVIEW...7 1.2 DOCUMENT
More informationKAZAKHSTAN STOCK EXCHANGE
KAZAKHSTAN STOCK EXCHANGE A p p r o v e d by Kazakhstan Stock Exchange Board of Directors decision (minutes No. 15 of November 6, 2002) Effective from November 7, 2002 N O T I C E Rules have been translated
More informationGood practices guide for deploying DNSSEC
Deploying DNSSEC January 10 Good practices guide Good practices guide for deploying DNSSEC About ENISA: The European Network and Information Security Agency (ENISA) is an EU agency created to advance the
More informationWHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid
WHITE PAPER Best Practices DNSSEC Zone Management on the Infoblox Grid What Is DNSSEC, and What Problem Does It Solve? DNSSEC is a suite of Request for Comments (RFC) compliant specifications developed
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationPrepared by: National Institute of Standards and Technology SPARTA, Inc. Shinkuro, Inc.
Signing the Domain Name System Root Zone: Technical Specification Prepared for: Science and Technology Directorate US Department of Homeland Security Prepared by: National Institute of Standards and Technology
More information3SECTION B SUPPLIES OR SERVICES AND PRICES/COSTS. This is a no cost, $0.00 time and material contract. B.2 COST/PRICE
3SECTION B SUPPLIES OR SERVICES AND PRICES/COSTS This is a no cost, $0.00 time and material contract. B.2 COST/PRICE The Contractor may not charge the United States Government to perform the requirements
More informationDNSSEC - SECURE DNS FOR GOVERNMENT. Whitepaper
DNSSEC - SECURE DNS FOR GOVERNMENT Whitepaper ii BlueCat Networks Use of this document Copyright This document and all information (in text, Graphical User Interface ( GUI ), video and audio forms), images,
More informationCertificate Policy. SWIFT Qualified Certificates SWIFT
SWIFT SWIFT Qualified Certificates Certificate Policy This Certificate Policy applies to Qualified Certificates issued by SWIFT. It indicates the requirements and procedures to be followed, and the responsibilities
More informationStep-by-Step DNSSEC-Tools Operator Guidance Document
Step-by-Step DNSSEC-Tools Operator Guidance Document Using the DNSSEC-Tools v1.0 distribution SPARTA, Inc. Table of Contents 1. Introduction... 1 Organization of this Document... 1 Key Concepts... 2 Zones
More informationPart 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology
SAST01 An Introduction to Information Security Part 5 DNS Security Martin Hell Department of Electrical and Information Technology How DNS works Amplification attacks Cache poisoning attacks DNSSEC 1 2
More informationCertification Practice Statement
FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche 18.12.2009 Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Scope of the Certification
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More information14. Privacy Policies. 14.1. Introduction
14. Privacy Policies 14.1. Introduction 14.2. Policy Accent Media Ltd, incorporated in England, is the Registry Operator for the Top Level Domain TLD.tickets ( the Registry ). As a company registered in
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationCERTIFICATION POLICY QUEBEC CERTIFICATION CENTRE. 2015 Notarius Inc.
CERTIFICATION POLICY QUEBEC CERTIFICATION CENTRE 2015 Notarius Inc. Document Version: 4.5 OID: 2.16.124.113550 Effective Date: July 17, 2015 TABLE OF CONTENTS 1. GENERAL PROVISIONS...8 1.1 PURPOSE...8
More informationDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
F5 Technical Brief DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks Domain Name System (DNS) provides one of the most basic but critical functions on the Internet. If DNS isn t working,
More informationREGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.
REGISTRATION AUTHORITY (RA) POLICY Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A. INDEX Contenido 1. LEGAL FRAMEWORK... 4 1.1. Legal Base...
More informationNext Steps In Accelerating DNSSEC Deployment
Next Steps In Accelerating DNSSEC Deployment Dan York, CISSP Senior Content Strategist, Internet Society DNSSEC Deployment Workshop, ICANN 45 Toronto, Canada October 17, 2012 Internet Society Deploy360
More informationTHE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. July 2011 Version 2.0. Copyright 2006-2011, The Walt Disney Company
THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY July 2011 Version 2.0 Copyright 2006-2011, The Walt Disney Company Version Control Version Revision Date Revision Description Revised
More informationTR-GRID CERTIFICATION AUTHORITY
TR-GRID CERTIFICATION AUTHORITY CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT Version 2.3 May 15, 2014 Table of Contents TABLE OF CONTENTS:... 2 1. INTRODUCTION... 7 1.1 OVERVIEW... 7 1.2 DOCUMENT
More informationLand Registry. Version 4.0 10/09/2009. Certificate Policy
Land Registry Version 4.0 10/09/2009 Certificate Policy Contents 1 Background 5 2 Scope 6 3 References 6 4 Definitions 7 5 General approach policy and contract responsibilities 9 5.1 Background 9 5.2
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationAutodesk PLM 360 Security Whitepaper
Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationSpecifications for Registrars' Interaction with Flexireg Domain Registration System
Foundation for Assistance for Internet Technologies and Infrastructure Development Specifications for Registrars' Interaction with Flexireg Domain Registration System Version 1.1. Moscow, 2015 Table of
More informationConsultation on Root Zone KSK Rollover
Consultation on Root Zone KSK Rollover 2012-12-14 Consultation Objective The Internet Assigned Numbers Authority (IANA) Functions contract (SA1301---12---CN---0035) between ICANN and the United States
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationMeeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)
Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4
More informationHIPAA Security Matrix
HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationapple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.
Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.8 Effective Date: June 11, 2012 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2.
More informationSP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter
SP 800-130 A Framework for Designing Cryptographic Key Management Systems 5/25/2012 Lunch and Learn Scott Shorter Topics Follows the Sections of SP 800-130 draft 2: Introduction Framework Basics Goals
More informationESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0
ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0 June 30, 2004 Table of Contents Table of Contents...2 1 Introduction...3 1.1 Overview...3 1.1.1 General Definitions...4
More informationCalifornia Independent System Operator Certification Practice Statement for Basic Assurance Certification Authority. Version 3.
California Independent System Operator Certification Practice Statement for Basic Assurance Certification Authority Version 3.4 April 2015 Table of Contents 1.0 INTRODUCTION... 8 1.1 OVERVIEW... 8 1.2
More informationTechnical Standards for Information Security Measures for the Central Government Computer Systems
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationIncorporating Digital Signing & Encryption in Transactions in the Payment System of Sri Lanka
Incorporating Digital Signing & Encryption in Transactions in the Payment System of Sri Lanka Presentation by Sunimal Weerasooriya, CEO LankaClear (Pvt) Ltd. Introduction to LankaClear Originated as Sri
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationDNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. olaf@nlnetlabs.nl and mankin@psg.com. http://www.nlnetlabs.nl/ 8 Feb 2006 Stichting NLnet Labs
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin olaf@nlnetlabs.nl and mankin@psg.com 8 Feb 2006 Stichting NLnet Labs DNSSEC evangineers of the day Allison: Independent consultant Member of the Internet2
More informatione-authentication guidelines for esign- Online Electronic Signature Service
e-authentication guidelines for esign- Online Electronic Signature Service Version 1.0 June 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry of Communications
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationTHE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.
THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Last Revision Date: June 28, 2007 Version: 3.0 Published By: RSA Security Inc. Copyright 2002-2007 by
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationTC TrustCenter GmbH Time-Stamp Practice and Disclosure Statement
GmbH NOTE: The information contained in this document is the property of TC TrustCenter GmbH. This document may not be copied, distributed, used, stored or transmitted in any form or by any means, whether
More informationA Draft Framework for Designing Cryptographic Key Management Systems
A Draft Framework for Designing Cryptographic Key Management Systems Elaine Barker Dennis Branstad Santosh Chokhani Miles Smid IEEE Key Management Summit May 4, 2010 Purpose of Presentation To define what
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationMalaysian Identity Federation and Access Management Certification Authority Certificate Policy and Certification Practice Statement
Malaysian Identity Federation and Access Management Certification Authority Certificate Policy and Certification Practice Statement Version 2.2 Document OID: 1.3.6.1.4.1.36355.2.1.2.2 February 2012 Contents
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationDRAFT Standard Statement Encryption
DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationETSI EN 319 401 V1.1.1 (2013-01)
EN 319 401 V1.1.1 (2013-01) European Standard Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers supporting Electronic Signatures 2 EN 319 401 V1.1.1
More informationDNS Security FAQ for Registrants
DNS Security FAQ for Registrants DNSSEC has been developed to provide authentication and integrity to the Domain Name System (DNS). The introduction of DNSSEC to.nz will improve the security posture of
More informationPKI NBP Certification Policy for ESCB Signature Certificates. OID: 1.3.6.1.4.1.31995.1.2.2.1 version 1.5
PKI NBP Certification Policy for ESCB Signature Certificates OID: 1.3.6.1.4.1.31995.1.2.2.1 version 1.5 Security Department NBP Warsaw, 2015 Table of Contents 1. Introduction 1 1.1 Overview 1 1.2 Document
More informationAlliance Key Manager Solution Brief
Alliance Key Manager Solution Brief KEY MANAGEMENT Enterprise Encryption Key Management On the road to protecting sensitive data assets, data encryption remains one of the most difficult goals. A major
More informationDNSSEC. Introduction Principles Deployment
DNSSEC Introduction Principles Deployment Overview What we will cover The problems that DNSSEC addresses The protocol and implementations Things to take into account to deploy DNSSEC The practical problems
More informationOutline SSS6425 - Configuring and Troubleshooting Windows Server 2008 Active Directory
Outline SSS6425 - Configuring and Troubleshooting Windows Server 2008 Active Directory Duration: Four consecutive Saturdays About this Course This instructor-led course provides the knowledge and skills
More informationDNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)
DNSSEC: A Vision Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Outline DNS Today DNS Attacks DNSSEC: An Approach Countering DNS Attacks Conclusion 2 DNS Today DNS is
More information