DNSSEC Signing Policy & Practice Statement for the .CL zone ----------------------------------------------------------- $Id: DPS-CL-eng.txt,v 1.2 2012/12/24 14:32:57 cvsnic1 Exp $ Note: This document is a translation of the original version of CL DPS written in Spanish and is provided for informational purpose only. NIC Chile does not represent or warrant correctness and accuracy of this translation. 1. INTRODUCTION This document is the Declaration of Policies and Procedures for DNSSEC at NIC Chile, known as DPS for its acronym in English. This document states the practices and procedures that NIC Chile will use to sign the .CL zone, and also the distribution services that include generation, management, change and publication of the DNS keys. 1.1 Summary Security Extensions for the Domain Name System (DNSSEC) are a set of specifications from IETF to add security to the DNS. DNSSEC provides a mechanism to validate DNS data to prove that it has not been modified during transit over the Internet. This is achieved by incorporating public key cryptography into the DNS hierarchy, forming a chain of trust originating at the root zone. DNSSEC adds to the DNS authentication of data origin, integrity verification and authenticated non-existence. 1.2 Name of the Document and Identification - Document title: "DNSSEC Signing Policy & Practice Statement for the .CL zone" - Version: 1.1, July 26, 2011 - Last Editor: DNSSEC Workgroup, NIC Chile Technical Area. 1.3 Applicability 1.3.1. CL Top Level Domain Registry NIC Chile is in charge of the .CL Top Level Domain, and is responsible for generating the zone and managing it. 1.4 Administrative Information 1.4.1 Organization Universidad de Chile / NIC Chile 1.4.2 Contact Information Area de Operaciones e Ingenieria NIC Chile / Universidad de Chile Miraflores 222, Piso 14 Santiago, CHILE CP 832-0198 Voice: +56 2 9407700 Fax: +56 2 9407701 E-mail: dnssec@nic.cl 1.4.3 Specification Change Procedures Any modifications to this document will officially be published by NIC Chile, and most recent version kept in the repository mentioned in 2.1. 2. PUBLICATION AND REPOSITORY 2.1 Repository The latest version available of this document can be found at: https://www.nic.cl/dnssec/ 2.2 Publication of KSK NIC Chile will publish it's public KSK keys on it's website: https://www.nic.cl/dnssec/ protected with TLS (https) using a digital certificate issued by a global Certification Authority licensed by WebTrust, in plain text (TXT) and signed with the PGP key of the crypto@nic.cl identity. The format will be in the DNSKEY style, including the "key id". An historic archive of expired keys will be also kept. NIC Chile will maintain a public registration mailing list where the start and end of the KSK rollovers will be announced in advance: anuncios-dnssec@listas.nic.cl This will be the only formal information mechanism for the publication of the .CL keys. NIC Chile will coordinate with ICANN the insertion of .CL's DS record in the DNS root to ensure a continual unbroken chain of trust. 2.3 Confidentiality The following information will remain confidential: - The private components of all KSK and ZSK keys. - The public components of all KSK and ZSK keys before their release date (future keys). - The identity of individuals participating in the procedures for generating and signing the keys, except for the Trusted Witnesses. 3. OPERATIONAL REQUIREMENTS 3.1 Meaning of domain names A domain name is a unique identifier, which is often associated with services such as web hosting or e-mail. 3.2 DNSSEC activation for child zones under .CL In the first stage, zones under .CL will not be activated with delegation secure records (DS). By the second half of 2011, DS records will begin to be accepted for .CL domain holders. 3.2.1 DS records incorporation To be defined. 4. INFRASTRUCTURE, MANAGEMENT AND OPERATIONAL CONTROLS. 4.1 Physical Controls 4.1.1 Physical Location and Controls The facilities meets the minimum standards in terms of physical security, power supply, environment and fire and water protection. The private components of the KSK will be kept in an off-line signing machine, without connections to the Internet or to any other network, in a room under direct control of NIC Chile. 4.1.2 Physical Access The off-line signing machine will be kept in a safe box under direct control of NIC Chile and the Trusted Witnesses will know the combination to open it. While the machine is turned off, it will be kept inside a tamper-evident sealed bag, in order to ensure that its contents have not been tampered with. 4.1.3 Data Storage The private component of the KSK will be encrypted twice with a pair of PGP keys of the Key Generators (one Generator by itself will not be able to decode it), and stored in an encrypted disk by the Trusted Witness. The operational documentation will be kept in the internal content management system of NIC Chile. 4.1.4 Waste disposal All the transported data (from the off-line machines to the production machines) will be effectively erased from the transportation devices. 4.1.5 Off-site backups There will be two identical off-line signing machines in the same location. Additionally, a backup pendrive will be kept off-site. This pendrive is encrypted by the Trusted Witnesses, and will be kept inside a tamper evident sealed bag that will be kept inside a Safe Box. This Safe Box will be located in a room under direct control of NIC Chile, and the Key Generators will know the combination to open it. The room in which the Safe Box is located will require two people to access. The individual requiring to access the room will be in the list of NIC Chile's authorized personnel, and the identity will be checked examining his ID card. 4.2 Procedural Controls 4.2.1 Trusted Roles 4.2.1.1 Trusted Witness He should ensure compliance with the procedures in the ceremonies, he will verify that the published keys correspond to those generated in the ceremonies and he will keep the passwords needed to access the off-line signing machines and the backup pendrive. 4.2.1.2 Key Generator An employee of NIC Chile's operations area, that will be in charge of the procedures for key creation, key storage and for the DNSKEY offline signing process. 4.2.1.3 Key Installer An employee of NIC Chile's operations area, that will install the keys and the zones in the production systems related to the .CL zone. 4.2.1.4 Key Publisher An employee of NIC Chile's operations area, that will publish in public and official systems -at the right time- relevant information about the public components of the DNSSEC system associated to .CL. 4.2.1.5 DNS Admin An employee of NIC Chile's operations area, that will be in charge of activating the keys associated to the .CL zone, and to execute the rollovers procedures when necessary. 4.2.2 Number of persons required for each task At least 1 (one) Trusted Witness and 2 (two) Key Generator will attend each Key Creation ceremony. At least 2 (two) Key Installers, 1 (one) Key Publisher and 1 (one) DNS Admin are required to complete the process. For each of these roles, there exists a set of trained people that is able to atempt any task. Before each ceremony, the group required will be randomly chosen from this set. 4.2.3 Identification and authentication for each role This will depend on the administrative and security procedures of NIC Chile. 4.2.4 Task that require complete separation of duties The role of the Trusted Witness is incompatible with the roles of the Key Generator, Key Installer, Key Publisher and the role of the DNS Admin. The roles of the Key Generator, Key Installer, Key Publisher and the role of the DNS Admin may be held by the same person. 4.3 Log audit procedures 4.3.1 Types of event recorded A log will be kept for all generations, all state changes and all signing processes made with the keys. At each ceremony there will be a script and specific minutes that records all events and procedures. 4.4 Compromise and Disaster Recovery In the event of a disaster, or when the KSK and/or ZSK is compromised, an emergency ceremony will take place for the generation of new keys. All incidents are handled in accordance with NIC Chile's incident handling procedures. NIC Chile maintains pre-prepared procedures for handling generation, signing, rollover, verification and maintenance of the offline machine, between others. 5. TECHNICAL SECURITY CONTROLS 5.1 Key Pair Generation Procedures 5.1.1 Key Pair Generation This should be performed in an off-line machine, connected exclusively to a non-compromised USB devices. 5.1.2 Moving the Public Key The transportation from the off-line signing machine to the production systems will be done using a USB storage device that has not been compromised. This device will be transported inside a tamper evident sealed bag. 5.2 Protection and Control of the Private Key 5.2.1 Private Key Multi-person Control At least one Trusted Witness and two Key Generators are required to access the KSK private keys. 5.2.2 Private Keys Storage The KSK private keys will be stored inside the off-line signing machines, encrypted by a Trusted Witness and the Key Generators. This off-line signing machine will be kept inside a tamper evident sealed bag and inside a Safe Box. 5.2.3 Private Keys Backup A backup copy of the private keys will be kept in a USB storage device encrypted by a Trusted Witness and the Key Generators. This USB device will be kept inside a tamper evident sealed bag and inside a Safe Box. 5.2.4 Procedure of Activating Private Key The private component of the KSK key can only be activated in a Ceremony, whith a pre-established script. It will not be possible to operate with the key unless with the presence of 1 (one) Trusted Witness and 2 (two) Key Generators, in a location under direct control of NIC Chile. 5.2.5 Procedure of Deactivating Private Key Private keys are not destructed. After their useful life, they are removed from the signing system. 5.3 Other aspects of Key Management 5.3.1 Public Key Archival All KSK keys will be publicly available in the repository mentioned in 2.2. This includes the active keys and all keys that were historically active at some time for the .CL zone. 5.3.2 Key Usage Period The KSK Published Key will be published and active (i.e. used for signing) according to what is specified in section 6 of this document. 5.3.3 Generation of Activation Data Each Key Generator is responsible for creating their own activation data pursuant to the applicable requirements of NIC Chile's security controls. 5.4 Equipment Security Control All the equipment will be kept in premises under control of NIC Chile. These premises will have restricted access as specified in section 4.1.2 of this document. Computers and peripheral devices will have controls to prevent any changes made by unauthorized individuals. These controls will be validated by a Trusted Witness before each ceremony. 5.5 Network Security Controls The off-line signing machine will not have access to any network. All the information transferred will go through one or more USB storage devices. The transferred information between these USB storage devices to NIC Chile's production systems, will be done connecting this device directly to the computer, without networks use or another mechanism in the middle. 5.6 Technical Controls Life Cycle NIC Chile will have external permanent monitoring, and will run a automated suite of tests in each zone generation in order to ensure the published data correctness. 6. SIGNING THE .CL ZONE The signing of the .CL zone will use the following parameters. Any change to these parameters will be reflected in this document, and will be informed as specified in section 2.1. 6.1 Algorithms and Length of Keys - KSK: 2048 bits, RSASHA256 (algorithm number 8) - ZSK: 1024 bits, RSASHA256 (algorithm number 8) 6.2 Denial of Authenticated Existance NSEC3 (RFC 5155) with opt-out is required. 6.3 Signature Format Signatures will use RSASHA256 (algorithm number 8). 6.4 ZSK (Zone Signing Key) Rollover Each ZSK will be active for a 3 month period. 6.5 KSK (Key Signing Key) Rollover In case of a normal key rollover, the key will be published three months prior to it's activation, and will be kept for three months after being disabled. The lifespan of this key will be determined under the criteria that NIC Chile considers adequate. The rollover will follow a procedure that allow its automation, following RFC 5011 method. 6.6 Life Cycle of the Signatures and Re-signing Frequency ZSK signatures will last 45 days, and will be resigned each new zone. 6.7 RR's Time-To-Live The DNSKEY TTL is 3600 seconds. 7. LEGAL AFFAIRS NIC Chile reserves the right to disable DNSSEC when the stability of .CL is at risk. This document will maintain its official version in Spanish, even though there will be translations into other languages. These translations will only be used as reference to the original Spanish document.