[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00 01 draft-ietf-dnsop-dnssec-dps-framework

Network Working Group                                       F. Ljunggren
Internet-Draft                                                  Kirei AB
Intended status: Informational                      A-M. Eklund-Lowinder
Expires: January 6, 2010                                             .SE
                                                            July 5, 2009


              DNSSEC Policy & Practice Statement Framework
                    draft-ljunggren-dps-framework-00

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 6, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   This document presents a framework to assist writers of DNSSEC policy
   and practice statements such as registry managers on both TLD and



Ljunggren & Eklund-Lowinder  Expires January 6, 2010            [Page 1]


Internet-Draft                DPS framework                    July 2009


   secondary level, who have deployed DNSSEC.  DNSSEC is a set of
   security extensions to the DNS that allows validating DNS answers by
   to establishing a 'chains of trust' from known public keys to the
   data being validated.

   The aim of this framework is to describe an overall policy for
   serving secured DNS data and key management.  In particular, the
   framework provides a comprehensive list of topics that potentially
   (at the writer's discretion) needs to be covered in a DNSSEC policy
   definition and practice statement.


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.1.  Background  . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.2.  Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.3.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  Concepts  . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
     3.1.  DNSSEC  . . . . . . . . . . . . . . . . . . . . . . . . . . 3
     3.2.  Signing policy and practice statement . . . . . . . . . . . 3
     3.3.  Relationship between policy and practice statement  . . . . 3
     3.4.  Set of provisions . . . . . . . . . . . . . . . . . . . . . 3
   4.  Contents of a set of provisions . . . . . . . . . . . . . . . . 3
   5.  Outline of a set of provisions  . . . . . . . . . . . . . . . . 3
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
     8.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
   Appendix A.  Definitions and Acronyms . . . . . . . . . . . . . . . 7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 7


















Ljunggren & Eklund-Lowinder  Expires January 6, 2010            [Page 2]


Internet-Draft                DPS framework                    July 2009


1.  Introduction

1.1.  Background

   This document has been heavily inspired by RFC 3647 [RFC3647].

1.2.  Purpose

   The purpose of this document is twofold.  First, the document aims to
   explain the concept of a DPS and describe the relationship between
   the registry and the relying parties.  Second, this document aims to
   present a framework to assist the writers of DPSs in creating
   comparable policies and practices.  In particular, the framework
   identifies the elements that may need to be considered in formulating
   a DPS.  The purpose is not to define a particular policy or practice,
   per se.  Moreover, this document does not aim to provide legal advice
   or recommendations as to particular requirements or practices that
   should be contained within DPSs.

1.3.  Scope


2.  Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].


3.  Concepts

3.1.  DNSSEC

3.2.  Signing policy and practice statement

3.3.  Relationship between policy and practice statement

3.4.  Set of provisions


4.  Contents of a set of provisions


5.  Outline of a set of provisions

      1.  Introduction
        1.1.  Overview
        1.2.  Definitions



Ljunggren & Eklund-Lowinder  Expires January 6, 2010            [Page 3]


Internet-Draft                DPS framework                    July 2009


        1.3.  Identification
        1.4.  Community and Applicability
          1.4.1.  Registry
          1.4.2.  Registrar
          1.4.3.  Registrant
          1.4.4.  Auditor
          1.4.5.  End Entities
          1.4.6.  Applicability
        1.5.  Specification Administration
          1.5.1.  Specification administration organization
          1.5.2.  Contact Information
          1.5.3.  Specification change procedures
          1.5.4.  Publication and notification policies
          1.5.5.  DPS approval procedures
      2.  General Provisions
        2.1.  Obligations
          2.1.1.  Registry obligations
          2.1.2.  Registrars obligations
          2.1.3.  Registrants obligations
          2.1.4.  Resolver operator obligations
        2.2.  Liability
        2.3.  Interpretation and Enforcement
          2.3.1.  Governing law
          2.3.2.  Dispute resolution procedures
        2.4.  Publication of key signing keys
        2.5.  Compliance audit
          2.5.1.  Frequency of entity compliance audit
          2.5.2.  Identity/qualifications of auditor
          2.5.3.  Auditor's relationship to audited party
          2.5.4.  Topics covered by audit
          2.5.5.  Actions taken as a result of deficiency
          2.5.6.  Communication of results
        2.6.  Confidentiality
          2.6.1.  Types of information to be kept confidential
          2.6.2.  Types of information not considered confidential
          2.6.3.  Other information release circumstances
        2.7.  Intellectual Property Rights
      3.  Identification and Authentication
        3.1.  Initial Registration
          3.1.1.  Authentication of organization identity
          3.1.2.  Authentication of individual identity
          3.1.3.  Registration of delegation signer
          3.1.4.  Method to prove possession of private key
        3.2.  Routine key roll-over
        3.3.  Emergency key roll-over
        3.4.  Unsigning of child zone
      4.  Operational Requirements
        4.1.  Activation of DNSSEC for child zone



Ljunggren & Eklund-Lowinder  Expires January 6, 2010            [Page 4]


Internet-Draft                DPS framework                    July 2009


        4.2.  Verification of child zone maintainer
        4.3.  Publishing of DS record
        4.4.  Removing of DS record
          4.4.1.  Who can request removal
          4.4.2.  Procedure for removal request
          4.4.3.  Circumstances for deactivation
          4.4.4.  Deactivation grace period
        4.5.  Security Audit Procedures
          4.5.1.  Types of event recorded
          4.5.2.  Frequency of processing log
          4.5.3.  Retention period for audit log
          4.5.4.  Protection of audit log
          4.5.5.  Audit log backup procedures
          4.5.6.  Audit collection system (internal vs external)
          4.5.7.  Notification to event-causing subject
          4.5.8.  Vulnerability assessments
        4.6.  Records Archival
          4.6.1.  Types of event recorded
          4.6.2.  Retention period for archive
          4.6.3.  Protection of archive
          4.6.4.  Archive backup procedures
          4.6.5.  Requirements for time-stamping of records
          4.6.6.  Archive collection system (internal or external)
          4.6.7.  Procedures to obtain and verify archive information
        4.7.  Zone signing
          4.7.1.  DNSSEC Parameters
          4.7.2.  Key lengths and algorithms
          4.7.3.  Signature format
          4.7.4.  Signature life-time and re-signing frequency
          4.7.5.  Verification of zone signing key set
          4.7.6.  Zone signing key roll-over
          4.7.7.  Key signing key roll-over
        4.8.  Compromise and Disaster Recovery
          4.8.1.  Incident and compromise handling procedures
          4.8.2.  Computing resources, software, and/or data are
                  corrupted
          4.8.3.  Entity private key compromise procedures
          4.8.4.  Business contingency capabilities after a disaster
        4.9.  Entity termination
          4.9.1.  Registry termination
      5.  Physical, Procedural, and Personnel Security Controls
        5.1.  Physical Controls
          5.1.1.  Site location and construction
          5.1.2.  Physical access
          5.1.3.  Power and air conditioning
          5.1.4.  Water exposures
          5.1.5.  Fire prevention and protection
          5.1.6.  Media storage



Ljunggren & Eklund-Lowinder  Expires January 6, 2010            [Page 5]


Internet-Draft                DPS framework                    July 2009


          5.1.7.  Waste disposal
          5.1.8.  Off-site backup
          5.1.9.  Maintenance procedures
        5.2.  Procedural Controls
          5.2.1.  Trusted roles
          5.2.2.  Number of persons required per task
          5.2.3.  Identification and authentication for each role
          5.2.4.  Tasks requiring separation of duties
        5.3.  Personnel Controls
          5.3.1.  Background, qualifications, experience, and
                  clearance requirements
          5.3.2.  Background check procedures
          5.3.3.  Separation of duties
          5.3.4.  Training requirements
          5.3.5.  Retraining frequency and requirements
          5.3.6.  Job rotation frequency and sequence
          5.3.7.  Sanctions for unauthorized actions
          5.3.8.  Contracting personnel requirements
          5.3.9.  Documentation supplied to personnel
      6.  Technical Security Controls
        6.1.  Key Pair Generation and Installation
          6.1.1.  Technical environment for key generation
          6.1.2.  Key pair generation procedures (KSK)
          6.1.3.  Public key delivery
          6.1.4.  Public key parameters generation
          6.1.5.  Parameter quality checking
          6.1.6.  Hardware/software key generation
          6.1.7.  Key usage purposes (KSK, ZSK)
        6.2.  Private Key Protection
          6.2.1.  Standards for cryptographic module
          6.2.2.  Private key (m-of-n) multi-person control
          6.2.3.  Private key escrow
          6.2.4.  Private key backup
          6.2.5.  Private key archival
          6.2.6.  Private key entry into cryptographic module
          6.2.7.  Method of activating private key
          6.2.8.  Method of deactivating private key
          6.2.9.  Method of destroying private key
        6.3.  Activation data
          6.3.1.  Activation data generation and installation
          6.3.2.  Activation data protection
          6.3.3.  Other aspects of activation data
        6.4.  Other Aspects of Key Pair Management
          6.4.1.  Public key archival
          6.4.2.  Key usage periods
        6.5.  Computer Security Controls
          6.5.1.  Specific computer security technical requirements
          6.5.2.  Computer security rating



Ljunggren & Eklund-Lowinder  Expires January 6, 2010            [Page 6]


Internet-Draft                DPS framework                    July 2009


        6.6.  Life Cycle Technical Controls
          6.6.1.  System development controls
          6.6.2.  Security management controls
        6.7.  Network Security Controls
        6.8.  Cryptographic Module Engineering Controls


6.  IANA Considerations


7.  Security Considerations


8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

8.2.  Informative References

   [RFC3647]  Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S.
              Wu, "Internet X.509 Public Key Infrastructure Certificate
              Policy and Certification Practices Framework", RFC 3647,
              November 2003.


Appendix A.  Definitions and Acronyms


Authors' Addresses

   Fredrik Ljunggren
   Kirei AB
   P.O. Box 53204
   Goteborg  SE-400 16
   Sweden

   Email: fredrik@kirei.se











Ljunggren & Eklund-Lowinder  Expires January 6, 2010            [Page 7]


Internet-Draft                DPS framework                    July 2009


   Anne-Marie Eklund-Lowinder
   .SE
   P.O. Box 7399
   Stockholm  SE-103 91
   Sweden

   Email: amel@iis.se












































Ljunggren & Eklund-Lowinder  Expires January 6, 2010            [Page 8]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/