Dear Boban and Laurin,
See below regarding the NS/DS record management topic of DNS SSR workstream. There are no remaining questions for this topic.
Review Team volunteers: Boban, Laurin
Workstream: DNS SSR
Topic: NS / DS record management
Q: What technologies are used to ensure integrity and authentication?
A: For the ICANN Org portfolio of domains (eg icann.org):
- The registrar account for ICANN is restricted to key engineering personnel.
- The registrar password is of significant length and complexity.
- The registrar account for ICANN requires two-factor authentication.
- Domain locks are applied on all domains in the ICANN Org portfolio.
- All ICANN domains in the ICANN portfolio are DNSSEC signed.
Q: What procedures are used to address SSR concerns when it comes to NS/DS record management?
A: For the ICANN Org portfolio of domains (eg icann.org):
- Changes to the NS/DS records in ICANN Org zones are restricted to a minimal set of personal with valid credentials.
- Changes can only be performed from the ICANN network, which can only be accessed via ICANN VPN and that requires valid credentials and two-factor authentication.
- The ICANN VPN applies a requisite profile which includes an access control list to permit only the minimal set of personnel access to the system for
changing records.
- The mechanism for changing DNS records employs version control and logging.
Best,
Jennifer
--
Jennifer Bryce
Senior Reviews Coordinator
Internet Corporation for Assigned Names and Numbers (ICANN)
Email: jennifer.bryce@icann.org
Skype: jennifer.bryce.icann
www.icann.org