domain name registration and operational best current ... · all domain-related information are...
TRANSCRIPT
Domain Name Registration andOperational Best Current Practices
Florian MauryANSSI
May 10, 2015
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 1/17
Document Motives.. .
Motives :
▶ lack of documentation meeting our criteria
▶ in French
▶ independant
▶ all-in-one
▶ incidents keep on occurring
▶ asked for by operators
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 2/17
A Broad Approach.. .
“Risk management”-oriented approach :
▶ to identify vigilance points when contracting with aprovider
A broad approach :
▶ DNS essentials reminder▶ organizational aspects▶ legal aspects▶ operational aspects
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 3/17
Organizational Aspects
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 4/17
Registry Selection Criteria.. .
Registry selection is paramount to secure a domain name
Registries are high-priority targets for attackers.
Expected security features (in addition to all availability bestpractices) :
▶ DNSSEC support▶ registry lock
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 5/17
Our Vision of the Registry Lock.. .
Registry lock :▶ all domain-related information are frozen, including
delegations, DNSSEC material, whois content
Procedure :1. lock activated by the domain name holder2. lock enforced by the registry3. may be unlocked only at the domain name holder
request :▶ the registry authenticates the request origin
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 6/17
Registrar Selection Criteria.. .
Registrar selection is as much important as the registryselection
Expected security features :
▶ 2-factor authentication with access logs▶ registry lock support▶ DNSSEC support
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 7/17
Other Providers Contracts.. .
Expectations of DNS hosting operators :
▶ application of technical best current practices
Expectations of resellers and other service providers :
▶ contracting is a risk transfer, not necessarily riskhandling !
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 8/17
Legal Aspects
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 9/17
Legal Systems and Languages.. .
Select registries and registrars subjects to legal systems anddispute resolution policies well-understood by the domainname holder.
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 10/17
Technical Aspects
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 11/17
Resiliency Axis : System Administration BCP.. .
System administration BCP :
▶ implement a backup policy▶ automate system health-checking
▶ set TTL values according to the operational needs
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 12/17
Resiliency Axis : State-of-the-art Compliance.. .
State-of-the-art compliance :
▶ TCP support▶ EDNS0 support
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 13/17
Resiliency Axis : System Hardening.. .
System hardening :
▶ deploy DDoS mitigation solutions▶ harden operating system, not only the DNS service▶ implement role separation
▶ implement information compartmentalisation
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 14/17
Resiliency Axis : Avoid SPOF.. .
Avoid single points of failures :
▶ implement software diversification
▶ adopt a resilient network topology
▶ adopt a resilient physical topology
Limit third party dependancy :
▶ avoid glueless delegations
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 15/17
DNSSEC Recommendations ?.. .
What about DNSSEC ?
▶ DNSSEC may be considered once all of the above areapplied
▶ ANSSI resiliency observatory : study DNSSEC and itsdeployment
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 16/17
Q & A.. .
Call for feedbacks :
Google translated english version of the guidelines
Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 17/17