[Ssr2-review] DNS SSR answers FAO Boban, Laurin

[Jennifer Bryce]

Dear Boban and Laurin,

See below regarding the NS/DS record management topic of DNS SSR workstream. There are no remaining questions for this topic.

Review Team volunteers: Boban, Laurin
Workstream: DNS SSR
Topic: NS / DS record management

Q: What technologies are used to ensure integrity and authentication?
A: For the ICANN Org portfolio of domains (eg icann.org):

  *   The registrar account for ICANN is restricted to key engineering personnel.
  *   The registrar password is of significant length and complexity.
  *   The registrar account for ICANN requires two-factor authentication.
  *   Domain locks are applied on all domains in the ICANN Org portfolio.
  *   All ICANN domains in the ICANN portfolio are DNSSEC signed.

Q: What procedures are used to address SSR concerns when it comes to NS/DS record management?
 A: For the ICANN Org portfolio of domains (eg icann.org):

  *   Changes to the NS/DS records in ICANN Org zones are restricted to a minimal set of personal with valid credentials.
  *   Changes can only be performed from the ICANN network, which can only be accessed via ICANN VPN and that requires valid credentials and two-factor authentication.
  *   The ICANN VPN applies a requisite profile which includes an access control list to permit only the minimal set of personnel access to the system for changing records.
  *   The mechanism for changing DNS records employs version control and logging.

Best,
Jennifer
--
Jennifer Bryce
Senior Reviews Coordinator
Internet Corporation for Assigned Names and Numbers (ICANN)

Email: jennifer.bryce at icann.org
Skype: jennifer.bryce.icann
www.icann.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190221/6617590b/attachment.html>