*This document is invalid due to expiration.
The latest version: https://jprs.jp/doc/dnssec/jp-dps-eng.html
The latest version: https://jprs.jp/doc/dnssec/jp-dps-eng.html
| DNSSEC Practice Statement for the JP Zone (JP DPS) |
Note: This document is a translation of the original version of JP DPS
written in Japanese and is provided for informational purpose only.
JPRS does not represent or warrant correctness and accuracy of this
translation.
1. INTRODUCTION
This document, "DNSSEC Practice Statement for the JP Zone (JP
DPS)" states ideas of policies and practices of Japan Registry
Services Co., Ltd. (JPRS) with regard to DNSSEC operations for the
JP zone.
1.1. Overview
JPRS has published JP DPS to provide operational information about
DNSSEC (*1) for the JP zone. To accomplish comprehensive
investigation into the ideas of operational security, policies,
practices and procedures of DNSSEC service for the JP zone ("JP
DNSSEC Service"), JP DPS adopts the DPS framework (*2) which is
proposed and discussed in IETF Domain Name System Operations
(DNSOP) Working Group.
Chapters of this document are shown as follows.
1. INTRODUCTION
2. PUBLICATION AND REPOSITORIES
3. REQUIREMENTS FOR DNSSEC PRACTICE
4. FACILITY, MANAGEMENT AND OPERATIONAL CONTROLS
5. TECHNICAL SECURITY CONTROLS
6. ZONE SIGNING
7. COMPLIANCE AUDIT
8. LEGAL MATTERS
---------------------------------------------------------------
*1: DNSSEC (DNS Security Extensions) is a set of specifications
for enabling origin authentication and data integrity
verification of DNS response, by composing digital signatures
on it. The fundamental specifications of DNSSEC are described
in following RFCs, where DNS records such as DS, DNSKEY, RRSIG
and NSEC are newly defined.
- RFC 4033
DNS Security Introduction and Requirements
http://www.ietf.org/rfc/rfc4033.txt
- RFC 4034
Resource Records for the DNS Security Extensions
http://www.ietf.org/rfc/rfc4034.txt
- RFC 4035
Protocol Modifications for the DNS Security Extensions
http://www.ietf.org/rfc/rfc4035.txt
*2: DPS (DNSSEC Practice Statement) is a document in which
operator states ideas of security, policies, practices and
procedures with regard to operational issues of DNSSEC. DPS
framework is drafted in following Internet-Draft and still
under discussions.
- draft-ietf-dnsop-dnssec-dps-framework-03
DNSSEC Policy & Practice Statement Framework
---------------------------------------------------------------
1.2. Document Name and Identification
DNSSEC Practice Statement for the JP Zone (JP DPS)
Version: 1.0
Available on: 2011/01/14
Effective on: 2011/01/16
1.3. Community and Applicability
In this section, associated entities and their roles regarding JP
DNSSEC Service are described.
1.3.1. Registry
JPRS is the Registry for the JP domain names. The Registry
administrates registrations of JP domain names and operates DNS
servers for the JP zone. As for JP DNSSEC Service, the Registry
generates signing keys (KSK and ZSK) (*3) of the JP zone and
composes digital signatures for the JP zone. Further, through
registering DS record(s) of the Registry into the root zone, the
Registry enables origin authentication and data integrity
verification of records in the JP zone by using KSK of the root
zone as a trust anchor (*4).
---------------------------------------------------------------
*3: Signing key is a pair of public key and private key used for
signing records in a zone. KSK is abbreviation for key signing
key, while ZSK for zone signing key.
*4: Trust anchor is information cryptographically equivalent to
KSK of given zone that DNSSEC-aware resolvers use for
validating chain of trust from the given zone to the querying
zone.
---------------------------------------------------------------
1.3.2. JP Registrar
JP Registrar of the JP domain names is an entity who has concluded
an agreement with the Registry for agency operations on JP domain
name registrations. JP Registrar submits various requests
regarding registrations of domain name information, including DS
records in the JP zone.
1.3.3. Registrant
Registrant is an entity who has registered JP domain name(s) info
the Registry. For deploying DNSSEC into the Registrant's domain
name(s), Registrant generates signing keys and composes digital
signatures on Registrant's zone ("Registrant Zone"). Registrant
enables origin authentication and data integrity verification of
Registrant Zone by registering DS record(s) into the Registry
through JP Registrar. In some cases, Registrant requests "DNS
Provider", who provides operation services for authoritative DNS
servers, to generate signing keys, compose digital signatures on
Registrant Zone and generate DS record(s).
1.3.4. Relying party
Relying party is all the entity related to JP DNSSEC Service,
including DNS Providers, caching DNS server operators and users
who utilize their services. Here we call the DNS Provider who
manages Registrant Zone as "Registrant Zone Manager". In some
cases, Registrant him/her-self may be Registrant Zone Manager.
1.3.5. Auditor
Auditor is an entity who audits whether JP DNSSEC Service is
operated along with JP DPS or not.
1.3.6. Applicability
JP DPS is applied to the JP zone. DNS users are able to conduct
origin authentication and verify data integrity of DNS responses
from the JP zone. Registrant Zones are under Registrant's policy
and outside the scope of JP DPS.
1.4. Specification Administration
1.4.1. Specification administration organization
Japan Registry Services Co., Ltd. (JPRS)
1.4.2. Contact information
Japan Registry Services Co., Ltd. (JPRS) JP DPS contact
Telephone: +81-3-5215-8457
(9:00-18:00 excluding Saturdays, Sundays, national holidays or
the period from December 29 to January 3)
E-mail: info@jprs.jp
1.4.3. Specification change procedures
JP DPS is revised annually and/or in case of arising legitimate
needs, by JP DPS Management Officer (Section 4.2.1). After an
approval of its revised contents by JP DNSSEC Service Conference
(Section 4.2.1), the revised JP DPS becomes publicly available in
such a way as described in chapter 2.
2. PUBLICATION AND REPOSITORIES
2.1. Repositories
JP DPS (Japanese)
https://jprs.jp/doc/dnssec/jp-dps-jpn.html
JP DPS (English)
https://jprs.jp/doc/dnssec/jp-dps-eng.html
2.2. Publication of Key Signing Keys
The Registry composes a chain of trust of DNSSEC by registering a
DS record of the JP zone into the root zone. Therefore, the
Registry does not explicitly publish KSK public key of the JP zone
as a trust anchor.
2.3. Access Controls on Repositories
The Registry does not perform particular access controls on JP DPS
except for read only access.
3. OPERATIONAL REQUIREMENTS
3.1. Meaning of Domain Names
The purpose and meaning of registration of domain names in the JP
zone follows descriptions in documents below (No English
translation is available).
Registration Rules for Organizational/Geographic Type JP Domain
Names
http://jprs.jp/doc/rule/rule.html
Article 2 (Purpose and Meaning of Organizational/Geographic Type
JP Domain Name Registration)
Registration Rules for General-use JP Domain Names
http://jprs.jp/doc/rule/rule-wideusejp.html
Article 2 (Purpose and Meaning of General-use JP Domain Name
Registration)
3.2. Activation of DNSSEC for Registrant Zone
When a DS record corresponding to a signing key used in a given
Registrant zone is published in the JP zone, which is operated by
the Registry, and digitally signed with a signing key of the
Registry, a chain of trust from the JP zone to the Registrant Zone
comes to be composed. This enables the Registrant zone to be
activated as a DNSSEC-aware zone.
3.3. Identification and Authentication of Registrant Zone Manager
Authentication of applicant related to Registrant Zone is
conducted by JP Registrar who exclusively manages the Registrant's
domain name registration into the JP zone ("Associated JP
Registrar"). The Registry employs prescribed authentication
procedures to check whether data registration requests, including
registration of DS record(s), are carried out by Associated JP
Registrars or not.
3.4. Registration of Delegation Signer (DS) Records
A Registrant Zone can be verified as a DNSSEC-aware zone when DS
record(s) of the Registrant Zone is registered into the JP zone.
The specification of DS record on registration conforms to
following documents of the Registry (No English translation is
available).
Technical Specifications for Organizational/Geographic Type JP
Domain Name Registration
http://jprs.jp/doc/rule/saisoku-1.html
(3. Signing Key Profiles Configurable for
Organizational/Geographic Type JP Domain Names)
Technical Specifications for General-use JP Domain Name
Registration
http://jprs.jp/doc/rule/saisoku-1-wideusejp.html
(5. Signing Key Profiles Configurable for General-use JP Domain
Names)
3.4.1. Who can request registration
The Registry registers DS records for Registrant Zones into the JP
zone based on the requests from Associated JP Registrars.
Associated JP Registrars confirm the intentions of registration
with Registrants before requesting the registrations to the
Registry.
3.4.2. Procedure for registration request
Registrant asks Associated JP Registrar for registering DS
record(s) into the JP zone. Associated JP Registrar proceeds the
request of registration to the Registry based on the Registrant's
intention, according to the procedures defined by the Registry.
Upon the request from Associated JP Registrar, the Registry
registers DS record(s) into the JP zone. The time required for
registering a DS record into the JP zone after receiving the
registration request by the Registry depends on the update
schedule of JP DNS.
3.4.3. Emergency registration request
Not applicable in this document.
3.5. Method to Prove Possession of Private Key
The Registry does not specify requirements of validation checks
made by Associated JP Registrar whether the Registrant Zone
Manager possesses private key corresponding to DS record on
registration or not.
3.6. Removal of DS Record
DNSSEC-verification of the Registrant Zone becomes unavailable by
removing Registrant's DS record from the JP zone.
3.6.1. Who can request removal
The Registry removes DS records for the Registrant Zones from the
JP zone based on the requests from Associated JP Registrars.
Associated JP Registrars confirm the intentions of removal with
the Registrants before requesting removals.
3.6.2. Procedure for removal request
Registrant asks Associated JP Registrar for removing DS record(s)
from the JP zone. Associated JP Registrar proceeds request of
removal from the Registry based on the Registrant's intention,
according to the procedures defined by the Registry. Upon the
request from Associated JP Registrar, the Registry removes DS
record(s) from the JP zone. The time required for removing a DS
record from the JP zone after receiving the removal request by the
Registry depends on the update schedule of JP DNS.
3.6.3. Emergency removal request
Not applicable in this document.
4. FACILITY, MANAGEMENT AND OPERATIONAL CONTROLS
4.1. Physical Controls
4.1.1. Site location and construction
The Registry installs important facilities and equipment related
to JP DNSSEC Service ("the Important Facilities") at a place where
is not easily affected by disasters including water exposures,
earthquakes, fires and thunder strikes ("the Important Facility
Room"). The Registry takes building structures so that the room
will be earthquake/fire-proofed and protected from trespassing.
The location of the Important Facility Room is not indicated
inside/outside of the building.
4.1.2. Physical access
With regard to the Important Facility Room, the Registry controls
entry and exit from the room by conducting the identification of
relevant person and checking of the entry permission. The Registry
does not permit person who has no entry permission to enter the
room. If entry of such person is unavoidable, the person will be
allowed to enter by receiving one-time entry permission beforehand
and accompanied by person who has entry permission.
4.1.3. Power and air conditioning
The Registry ensures sufficient supply of electric power to the
Important Facilities and takes countermeasures against temporary
blackout, electric power failure and fluctuation of
voltage/frequency. Further, the Registry maintains and manages air
conditioning facilities in order to avoid harmful effects to
machines and equipment in use.
4.1.4. Water exposures and earthquakes
The Registry takes waterproofing measures for the Important
Facility Room to minimize damages due to water exposures. Further,
the building where facilities and equipment related to JP DNSSEC
Service are housed has quakeproof structure, and measures are
taken to prevent equipment and fixtures from toppling or falling.
4.1.5. Fire prevention and protection
The Registry installs the Important Facilities in a fire
protection zone. Further, in this zone, fire prevention measures
are taken for electric power supplying facilities and air
conditioning, in addition to fire alarm apparatus and fire
extinguishing facilities.
4.1.6. Media storage
The Registry stores recording media containing important
archive/backup data related to JP DNSSEC Service in a storage
cabinet(s) within a room where entry and exit are controlled
appropriately.
4.1.7. Waste disposal
The Registry appropriately carries out disposal processing of
documents/recording media including confidential information
related to JP DNSSEC Service by prescribed methods, such as
zeroing data or cutting up media.
4.1.8. Off-site backup
The Registry separately stores the specified important information
related to JP DNSSEC Service in lockable cabinets in the Important
Facility Rooms set at multiple sites which are sufficiently
remote.
4.2. Procedural Controls
4.2.1. Trusted role
Followings are the roles related to operations of JP DNSSEC
Service.
----------------------------------------------------------------
Role (abbreviation)
- Descriptions
----------------------------------------------------------------
JP DNSSEC Service Conference (DSC)
- Supervision of JP DNSSEC Service
- Approval of revised JP DPS
----------------------------------------------------------------
Chief DPS Management Officer (cDMO)
- Appointment of JP DPS Management Officer
- Confirmation of revised JP DPS
----------------------------------------------------------------
JP DPS Management Officer (DMO)
- Drafting/revision of JP DPS
----------------------------------------------------------------
Chief JP DNSSEC Signing Key Officer (cSKO)
- Appointment of JP DNSSEC Signing Key Operator
----------------------------------------------------------------
JP DNSSEC Signing Key Operator (SKO)
- Activation of KSK used for JP DNSSEC Service
- Generation/Deletion of KSK/ZSK used for JP DNSSEC Service
- Roll-over of KSK/ZSK used for JP DNSSEC Service
- Composition of signature for the JP zone by KSK/ZSK
- Registration of DS record(s) of the JP zone into the root zone
- Recording of KSK-related operations for JP DNSSEC Service
- Other operations under the instruction of cSKO
----------------------------------------------------------------
Chief JP DNSSEC Key Activation Observer (cKAO)
- Appointment of JP DNSSEC Key Activation Observer
----------------------------------------------------------------
JP DNSSEC Key Activation Observer (KAO)
- Observation of activation of KSK used for JP DNSSEC Service
----------------------------------------------------------------
4.2.2. Number of persons required per task
SKO consists of multiple personnel. In case of KSK-related
operation including the key activation, KAO joins in the operation
with SKO members.
4.2.3. Identification and authentication for each role
Permissions to operate the Important Facilities are authorized for
each operator. In using the Important Facilities, only authorized
operations are granted after operators are authenticated.
4.2.4. Tasks requiring separation of duties
The same person is not assigned as both SKO and KAO at the same
time. This is to ensure that KSK is not activated by SKO him/her
self.
4.3. Personnel Controls
4.3.1. Qualifications, experience, and clearance requirements
Persons who have "Trusted Role" as described in 4.2.1 are limited
to full time employees of the Registry. Persons who have other
roles are full time employees of the Registry or those who are
specifically approved by the Registry.
4.3.2. Background check procedures
Not applicable in this document.
4.3.3. Training requirements
The Registry gives trainings to personnel in charge of JP DNSSEC
Service as follows:
- Before having roles of operating JP DNSSEC Service, required
trainings for the roles are performed.
- When operational procedure is changed, affected descriptions in
operation manuals are updated promptly and trainings associated
with the change are provided.
4.3.4. Retraining frequency and requirements
The Registry periodically examines the necessity of re-training
for personnel in charge of JP DNSSEC Service. Re-training is
provided as necessary.
4.3.5. Job rotation frequency and sequence
Not applicable in this document.
4.3.6. Sanctions for unauthorized actions
Not applicable in this document.
4.3.7. Contracting personnel requirements
Not applicable in this document.
4.3.8. Documentation supplied to personnel
The Registry discloses a set of required documents for operations
in JP DNSSEC Service to the personnel and ensures that they are
fully acquainted with the documents.
4.4. Audit Logging Procedures
4.4.1. Types of events recorded
In order for detecting incorrect/illegal operations and proving
legitimacy of operations related to JP DNSSEC Service, the
Registry records following events as "the Audit Logs":
- Events of access to facilities for JP DNSSEC Service
- Events of operations using signing keys
+ Activation of KSK used for JP DNSSEC Service
+ Generation/Deletion of KSK/ZSK used for JP DNSSEC Service
+ Roll-over of KSK/ZSK used for JP DNSSEC Service
+ Composition of signature for the JP zone by KSK/ZSK
+ Registration of DS record(s) of the JP zone into the root zone
- Events of confirmation for recorded facts in the Audit Logs
The record of events includes date and time of event, entity that
initiated event and contents of event.
4.4.2. Frequency of processing log
The Registry automatically checks the Audit Logs in a frequency
sufficient to monitor promptly whether serious security incidents
occur or not. If any records to be dealt with are detected,
immediate notification will be made to appropriate personnel.
4.4.3. Retention period for audit log information
The Registry keeps the Audit Logs for at least 3 months in a
manner of being able to access them promptly. Archives of the
Audit Logs are kept for at least 3 years.
4.4.4. Protection of audit log
The Registry limits access to the Audit Logs to only necessary
personnel in order to protect the Audit Logs from browse,
modification or deletion by unauthorized parties.
4.4.5. Audit log backup procedures
The Registry backups the Audit Logs on external media storage
periodically. This media is stored in lockable cabinet(s) in a
room where entry and exit are controlled appropriately.
4.4.6. Audit collection system
Online Audit Log collection system is a component of the system
used for JP DNSSEC Service ("JP DNSSEC Service System"), and is
installed in the same place as that of JP DNSSEC Service
System. Offline Audit Logs are recorded by the Trusted Roles
described above and stored in secure storage cabinet(s) at
facility managed by the Registry.
4.4.7. Notification to event-causing subject
Not applicable in this document.
4.4.8. Vulnerability assessments
The Registry carries out vulnerability monitoring as described in
section 4.4.2 in order to detect unauthorized actions such as
break-in attempt on JP DNSSEC Service System. Vulnerability
assessments on the system are also taken as necessary.
4.5. Compromise and Disaster Recovery
4.5.1. Incident and compromise handling procedures
If the private key of the JP zone is (likely to be) compromised,
the Registry carries out emergency roll-over of the signing key.
When JP DNSSEC Service becomes discontinued due to accidents or
disasters, the Registry attempts to restart JP DNSSEC Service as
quickly as possible.
4.5.2. Corrupted computing resources, software, and/or data
When important hardware, software or data related to JP DNSSEC
Service is broken/damaged, the Registry attempts to recover it
promptly using backup-ed hardware, software or data according to
the prescribed recovery plan.
4.5.3. Entity private key compromise procedures
When the KSK of the JP zone becomes compromised, the Registry
carries out the following procedures:
- Re-generation of KSK of the JP zone;
- Composition of signature for DNSKEY records in the JP zone by
re-generated KSK; and
- Replacement of DS record registered in the root zone with the
one corresponding to re-generated KSK.
When the ZSK of the JP zone becomes compromised, the Registry
carries out the following procedures:
- Re-generation of ZSK of the JP zone;
- Composition of signature for DNSKEY records containing
re-generated ZSK by KSK of the JP zone; and
- Composition of signatures for authoritative records in the JP
zone by re-generated ZSK.
4.5.4. Business continuity and IT disaster recovery capabilities
For cases where continuation of JP DNSSEC Service is disabled due
to damage on the facilities by a disaster, the Registry attempts
to recover the service shortly on the remote backup-site
configured beforehand.
4.6. Entity Termination
In order to prepare for cases where continuation of JP DNSSEC
Service is disabled due to termination of the Registry,
information necessary for JP DNSSEC Service is deposited into
escrow agent, according to the following document (No English
translation is available).
http://jprs.co.jp/doc/redelegation/transfer_j.html
In case of termination of the Registry, JP DNSSEC Service will be
also terminated in accordance with the operation termination
procedures defined by the Registry.
5. TECHNICAL SECURITY CONTROLS
5.1. Key Pair Generation and Installation
5.1.1. Key pair generation
Signing key used for JP DNSSEC Service is generated by multiple
SKO in offline system installed in the Important Facility Room
("JP DNSSEC Service Offline System"). KSK of the JP zone is
generated by software inside the dedicated cryptographic module
connected to the system. ZSK of the JP zone is generated in the
system and stored in removable media in which all the data are
encrypted ("the Encryption Media").
5.1.2. Public key delivery
The Registry deploys KSK public key and ZSK private/public key
into JP DNSSEC Service System by using the Encryption Media. KSK
public key is not distributed to relying parties in any other way
of DNS protocols.
5.1.3. Public key parameters generation and quality checking
The Registry periodically confirms that generation of signing key
is conducted with appropriate parameters in the context of
technological trends.
5.1.4. Key usage purposes
The Registry uses the signing keys only for generating signatures
for the JP zone and does not use them for any other purposes.
5.2. Private Key Protection and Cryptographic Module Engineering Controls
5.2.1. Cryptographic module standards and controls
Not applicable in this document.
5.2.2. Private key multi-person control
Operations using KSK private key are performed by multiple SKO.
5.2.3. Private key escrow
Private keys of the JP zone are not escrowed.
5.2.4. Private key backup
SKO backups multiple copies of KSK private key into separate
cryptographic modules. These cryptographic modules are stored in
lockable cabinets inside the Important Facility Rooms mentioned in
4.1.8.
5.2.5. Private key storage on cryptographic module
Not applicable in this document.
5.2.6. Private key archival
Obsolete private keys are not archived, except for backups
mentioned above.
5.2.7. Private key transfer into or from a cryptographic module
Once KSK private key is installed in the cryptographic module, it
cannot be retrieved. In case of using KSK private key installed in
the cryptographic module, operation by multiple SKO is required.
For installing ZSK private key into the Encryption Media,
operation by multiple SKO is also required.
5.2.8. Method of activating private key
KSK private key is activated by multiple SKO in JP DNSSEC Service
Offline System and the fact is observed by KAO. ZSK private key is
activated by multiple SKO. The active status of ZSK signing key
continues until the usage period is finished.
5.2.9. Method of deactivating private key
Once KSK private key is used by SKO it is deactivated immediately
and the fact is observed by KAO. ZSK private key is deactivated by
multiple SKO before it reaches upper limit of the usage period
described in section 5.3.2.
5.2.10. Method of destroying private key
KSK/ZSK private key is destroyed by SKO in a manner it cannot be
used again.
5.3. Other Aspects of Key Pair Management
5.3.1. Public key archival
Obsolete public keys are not archived.
5.3.2. Key usage periods
The upper limit of usage period for KSK is one year plus
appropriate period for transition. The upper limit of usage period
for ZSK is one month. The Registry may change these periods as
necessary.
5.4. Activation Data
5.4.1. Activation data generation and installation
Activation data is a set of passphrases used to activate KSK. Each
SKO generates passphrase individually and install it into JP
DNSSEC Service Offline System.
5.4.2. Activation data protection
SKO protects activation data in a sufficiently secure manner.
5.4.3. Other aspects of activation data
In order to prepare for emergencies, SKO seals a copy of
activation data in envelope(s) with tamper trail. In case of
arising necessity to break this seal, it will be done under
control of cSKO.
5.5. Computer Security Controls
On the important components of JP DNSSEC Service System ("the
Important Components"), only minimum necessary software defined by
the Registry runs. All the important operations on the Important
Components will be logged. All the authentication credentials used
to access the Important Components are properly controlled. The
Important Components are monitored continuously, and if any
abnormalities or illegal operations on them are detected, the
Registry takes appropriate countermeasures promptly.
5.6. Network Security Controls
Firewalls are applied to networks on which JP DNSSEC Service is
deployed, and access from outside of the networks is limited to
minimum necessary protocols defined by the Registry.
5.7. Timestamping
The Registry obtains time for JP DNSSEC Service Offline System
from reliable time source(s) and synchronizes the system clocks
with it. As for JP DNSSEC Service System, the Registry obtains
time from NTP (Network Time Protocol) and synchronizes the system
clocks. The synchronized times are used for timestamping for the
audit logs described in section 4.4 and inception/expiration time
for validity period of RRSIG.
5.8. Life Cycle Technical Controls
5.8.1. System development controls
The Registry controls each process at system development and
evaluates the system prior to deploying it, in order to maintain
the quality and security of JP DNSSEC Service System.
5.8.2. Security management controls
As security controls of JP DNSSEC Service System, the registry
undertakes countermeasures such as entering/leaving controls,
staff controls including training, operation controls including
authority control and system controls including intrusion
protection and virus protection.
5.8.3. Life cycle security controls
The Registry evaluates periodically whether the development of JP
DNSSEC Service System is controlled under prescribed manner.
Moreover, the Registry gathers information related to security,
surveys technical trends, and evaluates/improves the system as
necessary.
6. ZONE SIGNING
6.1. Key Length and Algorithms
Algorithms defined by the protocol standards are adopted for
signing keys of the JP zone. Algorithm and key length for signing
key that are considered secure for the usage period are adopted.
Therefore, the algorithm for both KSK and ZSK is RSASHA256
specified in RFC 5702, and the key length of KSK is 2048 bits and
that of ZSK is 1024 bits.
6.2. Authenticated Denial of Existence
For authenticated denial of existence in the JP zone, the method
using NSEC3 records with Opt-Out flag specified in RFC 5155 is
adopted.
6.3. Signature Format
The signature format for records in the JP zone is RSA/SHA-2
specified in RFC 5702.
6.4. Zone Signing Key Roll-over
In the JP zone, roll-over of ZSK is carried out on a monthly basis
by the pre-publish method described in RFC 4641.
6.5. Key Signing Key Roll-over
In the JP zone, roll-over of KSK is carried out on an annual basis
by the double signature method described in RFC 4641.
6.6. Signature Validity Period and Re-signing Frequency
In the JP zone, signature validity period for KSK is around 2
months, while that for ZSK is around 1 month. Re-signing
frequencies for KSK and ZSK are per month and per week,
respectively.
6.7. Verification of Zone Signing Key Set
Before pre-publishing of ZSK, the Registry checks that each of
following processes is performed correctly:
- Generation of ZSK in offline environment by secure method;
- Addition of the ZSK to DNSKEY RRset and composition of signature
to the RRset with KSK in offline environment;
- Transmission of the ZSK and signature for the RRset to JP DNSSEC
Service System using dedicated secure channel(s); and
- Verification of whether the ZSK composes chain of trust to the
JP zone.
6.8. Verification of Resource Records
The Registry verifies that all the resource records are conformant
with the protocol standards before they are published on the JP
zone.
6.9. Resource Records TTL
In the JP zone, TTL of DNSKEY, DS and their corresponding RRSIG is
set to 86400 (1 day). TTL of NSEC3, NSEC3PARAM and their
corresponding RRSIG is set to 900 (15min.), which is the same as
negative cache value for the JP zone. Those TTLs may change into
appropriate values along with technical trends.
7. COMPLIANCE AUDIT
A regular audit for JP DNSSEC Service is done by Auditor described
in section 1.3.5. The audit reports are provided to the Registry.
The Registry applies operational improvements to JP DNSSEC Service
as necessary.
8. LEGAL MATTERS
The Registry has no legal responsibilities for the matters
described in JP DPS. When operating JP DNSSEC Service, the
Registry follows the laws of Japan and the rules defined by the
Registry (No English translation is available).
http://jprs.jp/info/document.html
|