Domain Name Registration andOperational Best Current Practices

Florian MauryANSSI

May 10, 2015

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 1/17

Document Motives.. .

Motives :

▶ lack of documentation meeting our criteria

▶ in French

▶ independant

▶ all-in-one

▶ incidents keep on occurring

▶ asked for by operators

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 2/17

A Broad Approach.. .

“Risk management”-oriented approach :

▶ to identify vigilance points when contracting with aprovider

A broad approach :

▶ DNS essentials reminder▶ organizational aspects▶ legal aspects▶ operational aspects

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 3/17

Organizational Aspects

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 4/17

Registry Selection Criteria.. .

Registry selection is paramount to secure a domain name

Registries are high-priority targets for attackers.

Expected security features (in addition to all availability bestpractices) :

▶ DNSSEC support▶ registry lock

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 5/17

Our Vision of the Registry Lock.. .

Registry lock :▶ all domain-related information are frozen, including

delegations, DNSSEC material, whois content

Procedure :1. lock activated by the domain name holder2. lock enforced by the registry3. may be unlocked only at the domain name holder

request :▶ the registry authenticates the request origin

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 6/17

Registrar Selection Criteria.. .

Registrar selection is as much important as the registryselection

Expected security features :

▶ 2-factor authentication with access logs▶ registry lock support▶ DNSSEC support

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 7/17

Other Providers Contracts.. .

Expectations of DNS hosting operators :

▶ application of technical best current practices

Expectations of resellers and other service providers :

▶ contracting is a risk transfer, not necessarily riskhandling !

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 8/17

Legal Aspects

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 9/17

Legal Systems and Languages.. .

Select registries and registrars subjects to legal systems anddispute resolution policies well-understood by the domainname holder.

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 10/17

Technical Aspects

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 11/17

Resiliency Axis : System Administration BCP.. .

System administration BCP :

▶ implement a backup policy▶ automate system health-checking

▶ set TTL values according to the operational needs

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 12/17

Resiliency Axis : State-of-the-art Compliance.. .

State-of-the-art compliance :

▶ TCP support▶ EDNS0 support

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 13/17

Resiliency Axis : System Hardening.. .

System hardening :

▶ deploy DDoS mitigation solutions▶ harden operating system, not only the DNS service▶ implement role separation

▶ implement information compartmentalisation

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 14/17

Resiliency Axis : Avoid SPOF.. .

Avoid single points of failures :

▶ implement software diversification

▶ adopt a resilient network topology

▶ adopt a resilient physical topology

Limit third party dependancy :

▶ avoid glueless delegations

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 15/17

DNSSEC Recommendations ?.. .

What about DNSSEC ?

▶ DNSSEC may be considered once all of the above areapplied

▶ ANSSI resiliency observatory : study DNSSEC and itsdeployment

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 16/17

Q & A.. .

Call for feedbacks :

guide.dns@ssi.gouv.fr

Google translated english version of the guidelines

Florian Maury – ANSSI http://www.ssi.gouv.fr/guide-dns May 10, 2015 17/17