Dear Boban and Laurin, See below regarding the NS/DS record management topic of DNS SSR workstream. There are no remaining questions for this topic. Review Team volunteers: Boban, Laurin Workstream: DNS SSR Topic: NS / DS record management Q: What technologies are used to ensure integrity and authentication? A: For the ICANN Org portfolio of domains (eg icann.org): * The registrar account for ICANN is restricted to key engineering personnel. * The registrar password is of significant length and complexity. * The registrar account for ICANN requires two-factor authentication. * Domain locks are applied on all domains in the ICANN Org portfolio. * All ICANN domains in the ICANN portfolio are DNSSEC signed. Q: What procedures are used to address SSR concerns when it comes to NS/DS record management? A: For the ICANN Org portfolio of domains (eg icann.org): * Changes to the NS/DS records in ICANN Org zones are restricted to a minimal set of personal with valid credentials. * Changes can only be performed from the ICANN network, which can only be accessed via ICANN VPN and that requires valid credentials and two-factor authentication. * The ICANN VPN applies a requisite profile which includes an access control list to permit only the minimal set of personnel access to the system for changing records. * The mechanism for changing DNS records employs version control and logging. Best, Jennifer -- Jennifer Bryce Senior Reviews Coordinator Internet Corporation for Assigned Names and Numbers (ICANN) Email: jennifer.bryce@icann.org Skype: jennifer.bryce.icann www.icann.org