Framework for DNSSEC audits
Hi all, This might be of interest to you. In collaboration with SWITCH, we have developed a DNSSEC audit framework: http://www.nlnetlabs.nl/downloads/publications/dns-audit-framework-1.0.pdf The scope of the framework is largely based on the documents RFC 2870, RFC 6841, RFC 6781 and the Secure Domain Name System (DNS) Deployment Guide from NIST. Having this publicly available we believe it will improve the deployment of DNSSEC. Best regards, Matthijs Mekking NLnet Labs
Moin! On 06 Jan 2014, at 12:33, Matthijs Mekking <matthijs@NLnetLabs.nl> wrote:
This might be of interest to you. In collaboration with SWITCH, we have developed a DNSSEC audit framework:
http://www.nlnetlabs.nl/downloads/publications/dns-audit-framework-1.0.pdf
The scope of the framework is largely based on the documents RFC 2870, RFC 6841, RFC 6781 and the Secure Domain Name System (DNS) Deployment Guide from NIST.
Having this publicly available we believe it will improve the deployment of DNSSEC. I admire your efforts and the document is well written from my quick glancing over it. But we IMHO need a big boilerplate upfront that this is not needed for deploying DNSSEC. The document might be good for TLD and registries/registrars with huge security requirements. But if we want to get widespread deployment we need to get further down the tree and wider. And my fear is that such a document can cause people to delay or not do DNSSEC deployments as the requirements (based on this document) are huge (none of my currently signed domains would pass an audit).
I will add it to my reading list for a more detailed review. So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 ralf.weber@nominum.com
-----Ursprungligt meddelande----- Från: dns-wg-bounces@ripe.net [mailto:dns-wg-bounces@ripe.net] För Ralf Weber Skickat: den 6 januari 2014 17:19 Till: Matthijs Mekking Kopia: dns-wg@ripe.net Ämne: Re: [dns-wg] Framework for DNSSEC audits
Moin!
On 06 Jan 2014, at 12:33, Matthijs Mekking <matthijs@NLnetLabs.nl> wrote:
This might be of interest to you. In collaboration with SWITCH, we have developed a DNSSEC audit framework:
http://www.nlnetlabs.nl/downloads/publications/dns-audit-framework-1.0 .pdf
The scope of the framework is largely based on the documents RFC 2870, RFC 6841, RFC 6781 and the Secure Domain Name System (DNS) Deployment Guide from NIST.
Having this publicly available we believe it will improve the deployment of DNSSEC. I admire your efforts and the document is well written from my quick glancing over it. But we IMHO need a big boilerplate upfront that this is not needed for deploying DNSSEC. The document might be good for TLD and registries/registrars with huge security requirements. But if we want to get widespread deployment we need to get further down the tree and wider. And my fear is that such a document can cause people to delay or not do DNSSEC deployments as the requirements (based on this document) are huge (none of my currently signed domains would pass an audit).
I will add it to my reading list for a more detailed review.
I've read the document carefully, and from my perspective, this is exactly what you need to make sure that a specific dnssec implementation put up to the requirements that are addressed, no matter the kind of organization. The audit framework must be able to cover all kinds of implementations, from registry and registrar down to a smaller entity. But doing an audit gives you the freedom to express when a requirement is applicable or not, imho that is. Kind regards, Anne-Marie Eklund Löwinder Chief Information Security Officer .SE
Hi Ralf, On 01/06/2014 05:18 PM, Ralf Weber wrote:
Moin!
On 06 Jan 2014, at 12:33, Matthijs Mekking <matthijs@NLnetLabs.nl> wrote:
This might be of interest to you. In collaboration with SWITCH, we have developed a DNSSEC audit framework:
http://www.nlnetlabs.nl/downloads/publications/dns-audit-framework-1.0.pdf
RFC 6841, RFC 6781 and the Secure Domain Name System (DNS) Deployment Guide from NIST.
Having this publicly available we believe it will improve the deployment of DNSSEC. I admire your efforts and the document is well written from my quick glancing over it. But we IMHO need a big boilerplate upfront that
The scope of the framework is largely based on the documents RFC 2870, this is not needed for deploying DNSSEC. The document might be good for TLD and registries/registrars with huge security requirements. But if we want to get widespread deployment we need to get further down the tree and wider. And my fear is that such a document can cause people to delay or not do DNSSEC deployments as the requirements (based on this document) are huge (none of my currently signed domains would pass an audit).
Yes, the framework is indeed in the first place applicable to TLDs. But also further down the tree people can benefit from this document. Note that this audit framework tries to be complete with respect to all possible controls, but these are not necessarily requirements. There may be controls that are not implemented or implemented differently, and if that is backed up with a managerial decision, the audit of the control may still pass. It is also possible for an auditor to do a partial audit, for example by only looking at the technical controls.
I will add it to my reading list for a more detailed review.
Thanks. We appreciate all feedback and discussion in order to mature this framework. Best regards, Matthijs
So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 ralf.weber@nominum.com
participants (3)
-
Anne-Marie Eklund-Löwinder -
Matthijs Mekking -
Ralf Weber