Network Working Group F. Ljunggren
Internet-Draft Kirei AB
Intended status: Informational A-M. Eklund-Lowinder
Expires: January 6, 2010 .SE
July 5, 2009
DNSSEC Policy & Practice Statement Framework
draft-ljunggren-dps-framework-00
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 6, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
This document presents a framework to assist writers of DNSSEC policy
and practice statements such as registry managers on both TLD and
Ljunggren & Eklund-Lowinder Expires January 6, 2010 [Page 1]
Internet-Draft DPS framework July 2009
secondary level, who have deployed DNSSEC. DNSSEC is a set of
security extensions to the DNS that allows validating DNS answers by
to establishing a 'chains of trust' from known public keys to the
data being validated.
The aim of this framework is to describe an overall policy for
serving secured DNS data and key management. In particular, the
framework provides a comprehensive list of topics that potentially
(at the writer's discretion) needs to be covered in a DNSSEC policy
definition and practice statement.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2. Signing policy and practice statement . . . . . . . . . . . 3
3.3. Relationship between policy and practice statement . . . . 3
3.4. Set of provisions . . . . . . . . . . . . . . . . . . . . . 3
4. Contents of a set of provisions . . . . . . . . . . . . . . . . 3
5. Outline of a set of provisions . . . . . . . . . . . . . . . . 3
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1. Normative References . . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . . 7
Appendix A. Definitions and Acronyms . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Ljunggren & Eklund-Lowinder Expires January 6, 2010 [Page 2]
Internet-Draft DPS framework July 2009
1. Introduction
1.1. Background
This document has been heavily inspired by RFC 3647 [RFC3647].
1.2. Purpose
The purpose of this document is twofold. First, the document aims to
explain the concept of a DPS and describe the relationship between
the registry and the relying parties. Second, this document aims to
present a framework to assist the writers of DPSs in creating
comparable policies and practices. In particular, the framework
identifies the elements that may need to be considered in formulating
a DPS. The purpose is not to define a particular policy or practice,
per se. Moreover, this document does not aim to provide legal advice
or recommendations as to particular requirements or practices that
should be contained within DPSs.
1.3. Scope
2. Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Concepts
3.1. DNSSEC
3.2. Signing policy and practice statement
3.3. Relationship between policy and practice statement
3.4. Set of provisions
4. Contents of a set of provisions
5. Outline of a set of provisions
1. Introduction
1.1. Overview
1.2. Definitions
Ljunggren & Eklund-Lowinder Expires January 6, 2010 [Page 3]
Internet-Draft DPS framework July 2009
1.3. Identification
1.4. Community and Applicability
1.4.1. Registry
1.4.2. Registrar
1.4.3. Registrant
1.4.4. Auditor
1.4.5. End Entities
1.4.6. Applicability
1.5. Specification Administration
1.5.1. Specification administration organization
1.5.2. Contact Information
1.5.3. Specification change procedures
1.5.4. Publication and notification policies
1.5.5. DPS approval procedures
2. General Provisions
2.1. Obligations
2.1.1. Registry obligations
2.1.2. Registrars obligations
2.1.3. Registrants obligations
2.1.4. Resolver operator obligations
2.2. Liability
2.3. Interpretation and Enforcement
2.3.1. Governing law
2.3.2. Dispute resolution procedures
2.4. Publication of key signing keys
2.5. Compliance audit
2.5.1. Frequency of entity compliance audit
2.5.2. Identity/qualifications of auditor
2.5.3. Auditor's relationship to audited party
2.5.4. Topics covered by audit
2.5.5. Actions taken as a result of deficiency
2.5.6. Communication of results
2.6. Confidentiality
2.6.1. Types of information to be kept confidential
2.6.2. Types of information not considered confidential
2.6.3. Other information release circumstances
2.7. Intellectual Property Rights
3. Identification and Authentication
3.1. Initial Registration
3.1.1. Authentication of organization identity
3.1.2. Authentication of individual identity
3.1.3. Registration of delegation signer
3.1.4. Method to prove possession of private key
3.2. Routine key roll-over
3.3. Emergency key roll-over
3.4. Unsigning of child zone
4. Operational Requirements
4.1. Activation of DNSSEC for child zone
Ljunggren & Eklund-Lowinder Expires January 6, 2010 [Page 4]
Internet-Draft DPS framework July 2009
4.2. Verification of child zone maintainer
4.3. Publishing of DS record
4.4. Removing of DS record
4.4.1. Who can request removal
4.4.2. Procedure for removal request
4.4.3. Circumstances for deactivation
4.4.4. Deactivation grace period
4.5. Security Audit Procedures
4.5.1. Types of event recorded
4.5.2. Frequency of processing log
4.5.3. Retention period for audit log
4.5.4. Protection of audit log
4.5.5. Audit log backup procedures
4.5.6. Audit collection system (internal vs external)
4.5.7. Notification to event-causing subject
4.5.8. Vulnerability assessments
4.6. Records Archival
4.6.1. Types of event recorded
4.6.2. Retention period for archive
4.6.3. Protection of archive
4.6.4. Archive backup procedures
4.6.5. Requirements for time-stamping of records
4.6.6. Archive collection system (internal or external)
4.6.7. Procedures to obtain and verify archive information
4.7. Zone signing
4.7.1. DNSSEC Parameters
4.7.2. Key lengths and algorithms
4.7.3. Signature format
4.7.4. Signature life-time and re-signing frequency
4.7.5. Verification of zone signing key set
4.7.6. Zone signing key roll-over
4.7.7. Key signing key roll-over
4.8. Compromise and Disaster Recovery
4.8.1. Incident and compromise handling procedures
4.8.2. Computing resources, software, and/or data are
corrupted
4.8.3. Entity private key compromise procedures
4.8.4. Business contingency capabilities after a disaster
4.9. Entity termination
4.9.1. Registry termination
5. Physical, Procedural, and Personnel Security Controls
5.1. Physical Controls
5.1.1. Site location and construction
5.1.2. Physical access
5.1.3. Power and air conditioning
5.1.4. Water exposures
5.1.5. Fire prevention and protection
5.1.6. Media storage
Ljunggren & Eklund-Lowinder Expires January 6, 2010 [Page 5]
Internet-Draft DPS framework July 2009
5.1.7. Waste disposal
5.1.8. Off-site backup
5.1.9. Maintenance procedures
5.2. Procedural Controls
5.2.1. Trusted roles
5.2.2. Number of persons required per task
5.2.3. Identification and authentication for each role
5.2.4. Tasks requiring separation of duties
5.3. Personnel Controls
5.3.1. Background, qualifications, experience, and
clearance requirements
5.3.2. Background check procedures
5.3.3. Separation of duties
5.3.4. Training requirements
5.3.5. Retraining frequency and requirements
5.3.6. Job rotation frequency and sequence
5.3.7. Sanctions for unauthorized actions
5.3.8. Contracting personnel requirements
5.3.9. Documentation supplied to personnel
6. Technical Security Controls
6.1. Key Pair Generation and Installation
6.1.1. Technical environment for key generation
6.1.2. Key pair generation procedures (KSK)
6.1.3. Public key delivery
6.1.4. Public key parameters generation
6.1.5. Parameter quality checking
6.1.6. Hardware/software key generation
6.1.7. Key usage purposes (KSK, ZSK)
6.2. Private Key Protection
6.2.1. Standards for cryptographic module
6.2.2. Private key (m-of-n) multi-person control
6.2.3. Private key escrow
6.2.4. Private key backup
6.2.5. Private key archival
6.2.6. Private key entry into cryptographic module
6.2.7. Method of activating private key
6.2.8. Method of deactivating private key
6.2.9. Method of destroying private key
6.3. Activation data
6.3.1. Activation data generation and installation
6.3.2. Activation data protection
6.3.3. Other aspects of activation data
6.4. Other Aspects of Key Pair Management
6.4.1. Public key archival
6.4.2. Key usage periods
6.5. Computer Security Controls
6.5.1. Specific computer security technical requirements
6.5.2. Computer security rating
Ljunggren & Eklund-Lowinder Expires January 6, 2010 [Page 6]
Internet-Draft DPS framework July 2009
6.6. Life Cycle Technical Controls
6.6.1. System development controls
6.6.2. Security management controls
6.7. Network Security Controls
6.8. Cryptographic Module Engineering Controls
6. IANA Considerations
7. Security Considerations
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
8.2. Informative References
[RFC3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S.
Wu, "Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework", RFC 3647,
November 2003.
Appendix A. Definitions and Acronyms
Authors' Addresses
Fredrik Ljunggren
Kirei AB
P.O. Box 53204
Goteborg SE-400 16
Sweden
Email: fredrik@kirei.se
Ljunggren & Eklund-Lowinder Expires January 6, 2010 [Page 7]
Internet-Draft DPS framework July 2009
Anne-Marie Eklund-Lowinder
.SE
P.O. Box 7399
Stockholm SE-103 91
Sweden
Email: amel@iis.se
Ljunggren & Eklund-Lowinder Expires January 6, 2010 [Page 8]