![Page 1: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/1.jpg)
Domain Name Registration andOperational Best Current Practices
Florian MauryANSSI
May 10, 2015
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 1/17
![Page 2: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/2.jpg)
Document Motives.. .
Motives :
▶ lack of documentation meeting our criteria
▶ in French
▶ independant
▶ all-in-one
▶ incidents keep on occurring
▶ asked for by operators
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 2/17
![Page 3: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/3.jpg)
A Broad Approach.. .
“Risk management”-oriented approach :
▶ to identify vigilance points when contracting with aprovider
A broad approach :
▶ DNS essentials reminder▶ organizational aspects▶ legal aspects▶ operational aspects
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 3/17
![Page 4: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/4.jpg)
Organizational Aspects
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 4/17
![Page 5: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/5.jpg)
Registry Selection Criteria.. .
Registry selection is paramount to secure a domain name
Registries are high-priority targets for attackers.
Expected security features (in addition to all availability bestpractices) :
▶ DNSSEC support▶ registry lock
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 5/17
![Page 6: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/6.jpg)
Our Vision of the Registry Lock.. .
Registry lock :▶ all domain-related information are frozen, including
delegations, DNSSEC material, whois content
Procedure :1. lock activated by the domain name holder2. lock enforced by the registry3. may be unlocked only at the domain name holder
request :▶ the registry authenticates the request origin
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 6/17
![Page 7: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/7.jpg)
Registrar Selection Criteria.. .
Registrar selection is as much important as the registryselection
Expected security features :
▶ 2-factor authentication with access logs▶ registry lock support▶ DNSSEC support
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 7/17
![Page 8: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/8.jpg)
Other Providers Contracts.. .
Expectations of DNS hosting operators :
▶ application of technical best current practices
Expectations of resellers and other service providers :
▶ contracting is a risk transfer, not necessarily riskhandling !
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 8/17
![Page 9: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/9.jpg)
Legal Aspects
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 9/17
![Page 10: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/10.jpg)
Legal Systems and Languages.. .
Select registries and registrars subjects to legal systems anddispute resolution policies well-understood by the domainname holder.
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 10/17
![Page 11: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/11.jpg)
Technical Aspects
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 11/17
![Page 12: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/12.jpg)
Resiliency Axis : System Administration BCP.. .
System administration BCP :
▶ implement a backup policy▶ automate system health-checking
▶ set TTL values according to the operational needs
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 12/17
![Page 13: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/13.jpg)
Resiliency Axis : State-of-the-art Compliance.. .
State-of-the-art compliance :
▶ TCP support▶ EDNS0 support
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 13/17
![Page 14: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/14.jpg)
Resiliency Axis : System Hardening.. .
System hardening :
▶ deploy DDoS mitigation solutions▶ harden operating system, not only the DNS service▶ implement role separation
▶ implement information compartmentalisation
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 14/17
![Page 15: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/15.jpg)
Resiliency Axis : Avoid SPOF.. .
Avoid single points of failures :
▶ implement software diversification
▶ adopt a resilient network topology
▶ adopt a resilient physical topology
Limit third party dependancy :
▶ avoid glueless delegations
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 15/17
![Page 16: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/16.jpg)
DNSSEC Recommendations ?.. .
What about DNSSEC ?
▶ DNSSEC may be considered once all of the above areapplied
▶ ANSSI resiliency observatory : study DNSSEC and itsdeployment
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 16/17
![Page 17: Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated](https://reader036.vdocuments.site/reader036/viewer/2022071000/5fbcc455156bcc50e921e3b6/html5/thumbnails/17.jpg)
Q & A.. .
Call for feedbacks :
Google translated english version of the guidelines
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 17/17