I'm far from an expert in DNS or DNSSEC but I do believe that we can't let this get swept under the rug; I have a strong respect for the technical nous of many on NZNOG and with a strong operational context, NZNOG seems like an ideal place to discuss this. Most folks here know my background and interests. There's a few areas I have some thoughts on:
NZRS has decided on 1280 as a key length for the KSK. 2048 seems to be a much wider accepted standard. In fact RFC4641 recommends 2048 as a KSK key length for 'high-value' domains such as TLDs.
Of the following list of DNSSEC enabled domains only one has chosen 1280 as a KSK length.
root 2048 br 1280 se 2048 cz 2048 uk 2048 org 2048 gov 2048 edu 2048 kirei.se 2048
NZRS must have reasons and I'm all ears, but in the mean time, organisations I've spoken to have refused to give this a tick of trust based on the low key length.
Given the above feedback i'd love to know why a smaller keysize has been put up for .nz - Jay, this is one area an early comment on might be smart.
PEOPLE: It's not even with the current people concerned. Both Jay and Sebastian are great upstanding people and individually worthy of trust, but as far as I know they are not going to be the only ones with access to the key material. They are certainly not going to be the only ones with access in the future. I believe that the current procedures are lacking when it comes to proving to you and me that the people with a level of authority in this system are worthy of trust.
Reading the DPS document, the key material is protected by two NZRS employees (or board members) who have had 'standard pre-employment checks'. I'm sorry but that falls below what I need in order to be able to recommend that organisations start to trust this system.
'Standard Pre-Employment Checks' could mean essentially nothing at all. It could mean a Police Records Check and a Referees check. It could mean a lot more depending on whos definition of 'standard' you run with. Given the importance of the .nz zone in terms of NZ's critical Internet Infrastructure i'm surprised that someone like CCIP hasn't stepped in here to recommend (at the very least) a clearly articulated set of checks. In the Government space there's obviously a series of vetting grades which range from 'Police Check' through to official vetting levels. CCIP through their parent org (GCSB) should be at least consulted on something such as this? Can NZRS advice what benchmark they're using for personnel vetting?
party. We're going to require other participants to be present". Our very own Andy Linton is one of these Trusted Community Representatives for the root zone.
I like the idea of Trusted Community Representatives and would advocate such a system being implemented within the .nz space - if only to ensure complete transparency in terms of the InternetNZ involvement and the access that various folks within InternetNZ may (or may not) have to the back-end. Neutral or external eyes are important and in New Zealand we're fortunate enough to have plenty of folks with an appropriate level of industry trust.
Once again, I'm not saying that the people involved today are untrustworthy, but how will we know that the next person is just as trustworthy? What are the procedures in place to make sure of that?
Again, if we knew what benchmarks were being used and had some details of the process being followed by InternetNZ, these questions wouldn't need to be asked.
The highlights are.
. No stated archive of old versions of the document. The entire document could change over time and it might not be possible to see when this was done.
Does InternetNZ have a change management system? A document management system? Even something done manually (does't have to be in a dif'able repository) with appropriate processes and oversight, would be adequate in my opinion.
. No information around the security aspects of the co-location sites. Other DPS documents have outlined the security features used and who has access.
There's a process from my time in Mil/Gov that is called 'Certification and Accreditation' that covers the need for both systems and sites to be evaluated from a security perspective. Has InternetNZ performed anything similar? C&A was a term from dealing specifically with sensitive or classified data, but the approach is ideal for something such as this. CCIP could no doubt provide advice.
. No elaboration on who has access to the equipment. Do co-location staff have access as well as NZRS staff. If not, how is this enforced and audited?
C&A (or similar) would cover this.
. Why is there no regular schedule for an external audit? ICANN has set regular audit dates (two years I believe without looking it up). Leaving it up to NZRS to have them 'as necessary' means that they could never be done at all.
'as necessary' is too vague for something this important.
So lets start to address some of these issues. If you think I've got it wrong, than by all means chime in. If you think there are other areas which need work then chime in. If we get this right then I'm going to be the biggest .nz DNSSEC advocate and tell everyone who will listen that .nz is the place to host domains you want to secure.
Big kudos to Dean for putting himself out there on this. The issues he raises and the questions he asks are reasonable, IMHO. At the very least InternetNZ should be able to get a feel for the response out of this group and make adjustments to suit. But it seems to me that there's some key points that need to be addressed. Mark. (Speaking personally, etc.)