On 20/06/11 3:08 PM, Jay Daley wrote:

As we have agreed to change our key size to that used by the majority of other TLDs we are now fully in line with best practice as used by other DNSSEC signed TLDs.

Frankly, I am disappointed with this response and I believe you all should be too. I think the NZNOG community deserves better than to be told. "No one else has answered these questions, so we're not going to either". Ever consider that they weren't asked of any other TLD? New Zealand, and NZNOG in particular, has always prided itself as having a particularly vocal and motivated technical community. How many overseas speakers do we get at conferences who rave about how unique the NZNOG community is?

If every organisation behaved as NZRS just has, then back in 2003 we'd have been told that because no other ccTLD had a .geek subdomain so the .nz ccTLD wasn't going to have one either. The DNC wasn't that close-minded however and the .nz ccTLD is a better place for it.

Once again rather than taking the opportunity to engage with the community and provide clarity, NZRS has spent time and resources to justify why it should not have to provide any additional information.

Aside from that, the NZRS DPS is not "fully in line with the best practice as used by other DNSSEC signed TLDs", and I'll show you why.

NZRS hasn't done you any favours here, they have made it hard for you to assess how they stack up with others around the world by not actually linking to the other TLDs (or even providing their domain names).   I'll show how some of the other registries handle these issues, but really... It's not about doing the bare minimum and then claiming that you're compliant, it's about building trust within your own community, answering their concerns, so that they will trust and accept your suggested processes. Something which I don't believe NZRS is doing very well at present.

Here are links to some of the other TLD DPS documents.

.se http://www.iis.se/docs/se-dnssec-dps-eng.pdf
.jp https://jprs.jp/doc/dnssec/jp-dps-eng.html
.com, .net, .edu http://www.google.co.nz/search?q=verisign+DNSSEC+practice+statement    (top 3 links)
.nl   https://www.sidn.nl/fileadmin/docs/PDF-files_UK/DNSSEC%20Policy%20and%20Practice%20Statement.pdf

I'd like to start off by drawing attention to the following passage from the NZRS DPS:
"With the support of this DPS, the relying party can determine the level of trust they may assign to DNSSEC in the .nz domain and assess their own risk."

I like the way that RIPE NCC words this better (http://www.ripe.net/data-tools/dns/dnssec/dnssec-policy-and-practice-statement):
"The purpose of this document is to enable stakeholders to determine the level of trust they wish to grant to the RIPE NCC DNSSEC management."

The DPS document is meant to provide you, the stakeholder, with all the information you need to be able to assess how much you'll trust the DNSSEC system.
I'd cover one area (Physical Security) in this email, but I believe the argument holds for other areas within the DPS as well.

What is the sum total of the information that NZRS gives stakeholders about the security of the physical environment protecting the .nz key material?

"All facilities have restricted access, limited to authorised personnel and proper access logs."

If I try and use this information to determine a level of trust, it's very difficult because it's so.... sparse.
The problem is that there are lots of ways in which NZRS could implement the physical security of the system and still be compliant.

A locked door and a logbook outside a spare room at the NZRS offices would satisfy all the physical security requirements of the .nz DNSSEC system.
There are other bullet points in the DPS about aircon, UPS, generator, fire system, smoke detectors, but they don't guarantee that the location is any more secure than a standard office environment.

See why it's hard to establish trust from a statement that general?

Now I'm not saying that's where they are deploying, but there is nothing to stop present or future NZRS management from doing so. What's more, because NZRS refuse to disclose the location of the equipment, they wouldn't even need to tell the community if it was moved so such a location.

So if NZRS really is "fully in line with the best practice", you'd expect all the other DPS documents to give the same sparse information, right?

Well, lets see what information the other TLDs choose to give their stakeholders..

Verisign who manage the .com, .net and .edu TLDs have a DPS which states:

"4.1.1 Site location and construction
Verisign DNSSEC operations are conducted within a physically protected environment that deters, prevents, and detects unauthorized use of, access to, or disclosure of sensitive information and systems, whether covert or overt. Verisign also maintains disaster recovery facilities for its DNSSEC operations. Verisign's disaster recovery facilities are protected by multiple tiers of physical security comparable to those of Verisign's primary facility.

4.1.2. Physical access
Verisign DNSSEC systems are protected by a minimum of four tiers of physical security, with access to the lower tier required before gaining access to the higher tier. Progressively restrictive physical access privileges control access to each tier. Sensitive DNSSEC operational activity, any activity related to the lifecycle of the COM KSK & ZSK, occurs within very restrictive physical tiers. Access to each tier requires the use of a proximity card employee badge. Physical access is automatically logged and video recorded. Additional tiers enforce individual access control through the use of two factor authentication including biometrics. The physical security system includes additional tiers for key management security which serves to protect both online and offline storage of HSMs and keying material. Areas used to create and store cryptographic material enforce dual control, each through the use of two factor authentication including biometrics. Online HSMs are protected through the use of locked cabinets. Offline HSMs are protected through the use of locked safes, cabinets and containers. Access to HSMs and keying material is restricted in accordance with Verisign's segregation of duties"

Now to me, I'm much more able to read that information and use it to decide how much I'm going to trust their physical security.
You don't have to be that wordy though. There are other TLDs which err on the sparse side but still manage to provide more information than NZRS.

The .se DPS contains a very important addition:
"All of the systems components are protected within a physical perimeter with an access control and alarm system operated by .SE."

By reading the NZRS DNS it's not clear that there even IS an alarm system in place around the .nz key material, let alone who it's controlled by.

As an aside, if you'd like to see some photos of some components of the .se system they are available in this tutorial
http://www.iis.se/docs/dnssec_20090529_tutorial-dps.pdf

The organisation operating the .nl ccTLD aren't afraid to admit where one of their locations is, and they do at least state that the other ones are data centres:

"Site location and construction
SIDN operates multiple sites in the Netherlands. These include server-rooms in the SIDN office, cabinets in multiple geographically dispersed data centres and a backup site outside of Arnhem."

Another aside, if you'd like to see some pictures from the .NL folks, have a look at this presentation:
https://www.os3.nl/_media/2010-2011/uva-20101019.pdf.
Great pics of the signing ceremony as well as the hardware tokens and HSM.
Again, the more information, the more you can evaluate trust in the system.

Even the English translation of the .jp DPS has additional information over the NZRS version:

"4.1.2. Physical access
With regard to the Important Facility Room, the Registry controls
entry and exit from the room by conducting the identification of
relevant person and checking of the entry permission. The Registry
does not permit person who has no entry permission to enter the
room. If entry of such person is unavoidable, the person will be
allowed to enter by receiving one-time entry permission beforehand
and accompanied by person who has entry permission."

So the room access is atleast controlled by the Registry. Well that's an assurance we don't have from NZRS, it could be controlled by a third party. In fact we don't even have an assurance that there is a dedicated room/physical perimeter. The NZRS equipment could be housed in a shared environment with other colo customers' equipment. Other colo customers would indeed be be authorised to access the shared environment and might even have physical access to the NZRS systems. I'd certainly like to know this when making a decision about how much to trust the system.

The .JP DPS also explains that unauthorised persons (think the IBM/Oracle/HP hardware tech swapping a motherboard) are escorted. It's another assurance we don't have from NZRS (unless I'm missing it somewhere else in the document).

So in summary, I don't believe that NZRS can say they are "now fully in line with the best practice as used by other DNSSEC signed TLDs" by just making a single change to the key size. As people have pointed out, even using an xkcd cartoon, keysize is only one area, and not even the easiest one to compromise. Getting the rest of this right is just as important.

Other TLDs go further (some, like Verisign go MUCH further) to give their stakeholders more information about physical security to enable them to make informed trust decisions. This information sharing to allow stakeholders to determine a level of trust is something that the architects of the DPS system intended.

All the information that NZRS prepared to give the .nz stakeholder community is:
"All facilities have restricted access, limited to authorised personnel and proper access logs."

I'm not prepared to say that I trust a system when that's the only information I have about it.

That's just one area. There are other sections in the other TLD DPSs which are much more informative than the NZRS DPS (Personnel Checks are one which stands out).

I'd like to suggest that NZRS is a little more descriptive in the areas around Physical Security. Even if you were to take all the bits from the other TLDs and glue them into one paragraph is would be better than what we have right now.

"All facilities have restricted access, limited to authorised personnel. and proper access logs. These include server-rooms in the XXX offices, cabinets in two data centres, and a backup site outside of XXX. All of the systems components are protected within a physical perimeter with an access control and alarm system operated by NZRS. If entry of unauthorised personnel is unavoidable, the person will be allowed to enter by receiving one-time entry permission beforehand and accompanied by person who has entry permission."

Regards,
Dean