[Ssr2-review] DNS SSR answers FAO Boban, Laurin
Jennifer Bryce
jennifer.bryce at icann.org
Thu Feb 21 11:06:58 UTC 2019
Dear Boban and Laurin,
See below regarding the NS/DS record management topic of DNS SSR workstream. There are no remaining questions for this topic.
Review Team volunteers: Boban, Laurin
Workstream: DNS SSR
Topic: NS / DS record management
Q: What technologies are used to ensure integrity and authentication?
A: For the ICANN Org portfolio of domains (eg icann.org):
* The registrar account for ICANN is restricted to key engineering personnel.
* The registrar password is of significant length and complexity.
* The registrar account for ICANN requires two-factor authentication.
* Domain locks are applied on all domains in the ICANN Org portfolio.
* All ICANN domains in the ICANN portfolio are DNSSEC signed.
Q: What procedures are used to address SSR concerns when it comes to NS/DS record management?
A: For the ICANN Org portfolio of domains (eg icann.org):
* Changes to the NS/DS records in ICANN Org zones are restricted to a minimal set of personal with valid credentials.
* Changes can only be performed from the ICANN network, which can only be accessed via ICANN VPN and that requires valid credentials and two-factor authentication.
* The ICANN VPN applies a requisite profile which includes an access control list to permit only the minimal set of personnel access to the system for changing records.
* The mechanism for changing DNS records employs version control and logging.
Best,
Jennifer
--
Jennifer Bryce
Senior Reviews Coordinator
Internet Corporation for Assigned Names and Numbers (ICANN)
Email: jennifer.bryce at icann.org
Skype: jennifer.bryce.icann
www.icann.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190221/6617590b/attachment.html>
More information about the Ssr2-review
mailing list