Key Generation Procedure review

As part of our DNSSEC Production Readiness Test, on September 23rd 2011 we carried out an official rehearsal of the Key Generation Procedure. This procedure is the kick-start for the DNSSEC deployment for .nz, where  we create the keys to sign the .nz DNS data. To ensure the procedure follows the best current security practices, we asked Lateral Security to attend the rehearsal, and provide us with a review.

Lateral Security's report can be found here. In brief, the report recommends the following actions:

  • Review of the Implementation Plan, to add timing estimators to the procedure.
  • Prepare a Contigency Plan, that details authorities, responsabilities, and procedures for unexpected events during the execution of the procedure.
  • Enhance the procedure to make it complaint with Workplace Health and Safety Act 1992.
  • Establish an Internal Security Policy around the use of mobile devices and recording devices during the execution of the procedure.

 

Our response to the report included the following actions

  • The procedure now includes timing estimators, based on numerous practices executed during the last months. This provide an effective early warning indicator that the procedure is drifting away from the expected path.
  • A detailed Contingency Plan has been prepared, to cover for expected and unexpected events during the execution of the procedure. Authorities and responsabilities have been defined. Control points within the procedure are now included, facilitating the decision-making in case of an event.
  • The procedure now provides safety instructions in line with the Workplace Health and Safety Act 1992 in case of a major event such as an earthquake.
  • Usage of mobile and recording devices has been clarified as part of the introductory part of the procedure.

 

With this, we are confident we have a more robust procedure to produce the keys for adding DNSSEC for .nz. The Key Generation log script will be made public after the completion of the procedure, as an opportunity for the community to review it.

Registrars