You're viewing an archived page. It is no longer being updated.
This content is only available for historical reference.
This document is intended as a statement of the security practices (physical and network) employed by the RIPE NCC in relation to the operation and forward planning of DNSSEC.
The private keys used by DNSSEC are stored on a machine (known from here on as the "signer") which is physically separated from all machines providing public DNS services. The first section of this document discusses the physical security of that machine. The second section of the document provides details on the network security of the signer. The third section describes the policies in place for backup and recovery. Finally, the document looks at details regarding the keys and signing frequency, along with rollover policies and communication strategies.
The private keys used by DNSSEC are stored on the signer, a machine located separately from and using different power and network infrastructure from all machines providing public DNS services.
The signer is housed in a secure area open only to RIPE NCC technical staff, and is restricted to boot only from its internal disk. The BIOS on the machine is password protected to ensure it cannot be changed to boot from any other media. Logins on the console of the signer are restricted to two members of the RIPE NCC technical staff, and privileged or root login is not available on the physical console of signer.
The signer is connected to the RIPE NCC network infrastructure via a standard switched VLAN. A single host (the DNS provisioning server) has connectivity to the signer via SSH; firewall filtering blocks access from all other hosts. Two members of RIPE NCC technical staff are permitted network access, which is via SSH using public/private keys only. Privileged access to the machine is available for the same two members of staff only and a privilege elevation method logs all usage.
The signer's entire hard disk is backed up once a month (and immediately following a key incident) to CD-ROM. The part of the backup which contains the keystore is encrypted using the PGP keys of the two designated members of RIPE NCC technical staff. The CD-ROM backup is stored in a locked/secure location at a different site to the signer.
An internally published disaster recovery policy is available, covering the steps needed to recover from total loss of the signer. One of the previously mentioned members of the RIPE NCC technical staff must be present to recover the encrypted keystore.
To avoid possible failures, here at the RIPE NCC we will sign all zones using the procedure described below:
The RIPE NCC provides a secure method for administrators of zones to upload secure delegations to the parent zones.