- Cookies that enable provisioning of services you require.
- Cookies that inform NIC about your visit on the website www.nic.lv - your consent is necessary for use of these cookies.
This document is the NIC.LV Registry Services DNSSEC Practice Statement (DPS). It defines the operational procedures for the management of DNS Security Extensions (DNSSEC) in the Latvian top-level domain .LV
DNSSEC is an extension to the existing DNS-System that enables the authentication of DNS data and makes it possible to verify that the content of a DNS response has not been modified.
Resource record sets secured with DNSSEC are cryptographically signed and use asymmetric cryptography to establish a so-called “chain of trust” that traverses the public DNS tree. This trust originates at the root zone and follows the same delegation process as that of domain name registrations.
Document title: DNSSEC Practice Statement for .LV zone
Version: 0.2.0
Created: 2012-01-16
Updated: 2012-08-31
The following roles and delegation of liability with regard to DNSSEC have been identified:
NIC.LV is responsible for the TLD .LV. This means that this organization is responsible for the management of all data related to registration, modification and deletion of (2nd level)-domain names under .LV. The Registry is also responsible for generating the relevant cryptographic keys, ensuring protection for those keys, signing the actual zone file and the registration and maintenance of DS records in the root zone.
The Registrar is responsible for the administration and management of domain names on behalf of the Registrant. They are also responsible for the registration and maintenance of the corresponding DS Records within the Registry.
The DNSSEC Service Provider is a Registrar responsible for the administration and management of the DNSSEC keys of a domain name within the Registry on behalf of the Registrant but not necessarily responsible for the management of the domain name.
The Registrant is a physical or legal entity that controls a domain name. They are responsible for the proper signing of child zones and the registration and maintenance of DS records through the Registrar or directly through the .LV Registry. If necessary, the process of zone signing can be delegated to the Registrar.
This DPS is updated as appropriate to reflect modifications in systems or procedures.
Agency of the University of Latvia “Institute of Mathematics and Computer Science of University of Latvia” Network Solutions Department - NIC.LV
Address: Raina bulvaris 29, Riga, LV-1459, Latvia
Telephone: +371-67085858
E-mail: dns@nic.lv
Amendments to this DPS are either made in the form of amendments to the existing document or the publication of a new version of the document. This DPS and amendments to it are published at: https://www.nic.lv/en/dnssec-en
DNSSEC-relevant information will be published on the website of https://www.nic.lv/en/dnssec-en
The deployed KSKs are published in the form of DS Records directly in the root zone. No other trust anchors or repositories are used.
DNSSEC is activated by at least one DS record for the zone being sent from the Registrar or the Registrant to the Registry and thus being published in the DNS, which established a chain of trust to the child zone. During the first DS submission the Registry will perform DS record and DNSKEY validation, this could be overridden by DS record submitter if necessary.
Responsibility for the identification and authentication of a child zone manager rests with the Registrar and the Registrant.
The Registry accepts DS records through its EPP interface from any Registrar. The Registrar is identified and authenticated via EPP. Registrants can enter their DS Records via web interface. The DS record must be valid and sent in the format indicated in RFC 5910. Up to 4 DS records can be registered per domain name. The registrar and the registrant can also remove all or selected DS records for a domain name.
The Registry does not perform any validation checks for authenticating the Registrant as the manager or holder of a specific private key.
DS records can be removed via the EPP interface by the respective registrar or via web interface by the registrant.
NIC.LV has implemented the Security Policy, which supports the security requirements of this DPS.
NIC.LV operates fully-operational data centre in Latvia. Data centre includes separated server-rooms, separated cabinets and additional off-site backup outside of the primary data centre.
Physical access to operation centres is restricted to authorized personnel. Entry is logged and the environment is continuously monitored.
Operation centres are equipped with multiple power sources, including battery and generator support to ensure an uninterrupted supply.
Operation centres are cooled with redundant air conditioning systems to ensure a consistent, stable operating environment.
The facilities located in “non-flood” areas therefore flood protection is not needed.
The facilities are equipped with fire detection and extinguishing systems.
Sensitive media is stored in a fireproof safe which is only accessible to the NIC.LV Senior Management and specifically designated personnel.
Sensitive documents and materials are shredded or destroyed before disposal.
NIC.LV performs regular backups of critical data. The storage facility is separated from other operational facilities of NIC.LV.
Trusted Persons include all employees, contractors, and consultants who have access to or control cryptographic operations that may materially affect:
Generation and protection of the private component of the .LV Zone Signing Key (ZSK) and Key Signing Key (KSK).
Secure export and import of any public components.
Generation and signing zone file data.
Trusted Persons include:
System Administrator, SA
Security Officer, SO
Trusted witness
Any non-automated procedure performed on the zone signer system requires at least one System Administrator and one Security Officer to be present.
Engineers taking part in the Trusted Roles have to have been working for the NIC.LV registry for no less than one year and must have the qualifications necessary for the DNS engineer job role.
Background checks are performed as part of the hiring process for all personnel.
Every person with a trusted role in the Key Generation procedure must be trained in the Key Generation procedure. The Registry periodically examines the necessity of re-training the personnel in charge of DNSSEC operations.
NIC.LV supplies the necessary documentation to each employee to perform their work task in a secure and satisfactory manner.
Logging is automatically carried out and involves the continuous collection of information regarding the activities that take place in the DNSSEC system. Logging information also includes the journals, checklists and other paper documents that are vital to security and that are required for auditing.
Entry to the facility
Remote access
Any type of DNSSEC operation
Logs are systematically analysed through automated and manual processes.
Log information is stored in log systems for not less than 1 year. Thereafter, the log information is archived for not less than 2 years.
The Registry limits access to the Audit Logs to only necessary personnel in order to protect the Audit Logs from browse, modification or deletion by unauthorized parties.
The Registry backups the Audit Logs on external media storage periodically.
All anomalies in logging information are investigated to analyse potential vulnerabilities.
If an event leads to, or could lead to, a detected security compromise, NIC.LV will perform an investigation to determine the nature of the incident. If NIC.LV suspect the incident has compromised the private component of an active key, an emergency key roll-over procedure will be performed.
In the event of a hardware fault System Administrator will manually activate secondary DNSSEC signing system. The faulty elements for the primary system will be replaced as soon as possible.
A suspected or actual ZSK compromise will be addressed by immediately removing the compromised ZSK from service, replacing it with a newly-generated or pre-generated replacement key. A suspected or actual KSK compromise will be addressed by an immediate key rollover.
In the event of a disruption to DNSSEC services due, for example, to a disaster at a data centre facility, the registry will recover the service(s) as soon as possible at the backup data centre.
If it becomes necessary to discontinue DNSSEC services, the Registry will invoke a pre-defined set of procedures. The general public will also be informed in such an event.
KSK generation takes place when necessary and must be performed by at least two Trusted Persons working in unison. These Trusted Persons are present during the entire operation. KSK of the .LV zone is generated on a dedicated and duplicate server system. ZSK of the .LV zone is generated automatically based on a ZSK key lifetime schedule.
The public part of the KSKs are exported and verified by the System Administrator and Security Officer. The Security Officer is responsible for publishing the DS record in the root zone. Newly generated keys will be synced automatically with the duplicate DNSSEC system. The System Administrator and the Security Officer are responsible for verifying synchronization.
The Registry periodically confirms that generation of signing key is conducted with appropriate parameters in the context of technological trends.
A key generated for DNSSEC purposes must only be used for DNSSEC activities and should never be used outside of the signing systems. A key must only be used for one zone and cannot be reused.
No private keys are ever found unprotected outside the DNSSEC infrastructure.
The Registry applies multi-person controls administratively.
The Registry does not apply a key escrow.
A backup copy of the protected private keys will be kept in a portable storage media which will be kept inside a tamper proof sealed bag and inside a fireproof safe.
All used keys are kept in an archive. Used keys are never reused.
Private keys are generated directly inside DNSSEC system. They will be automatically and instantly synced to a duplicate DNSSEC system.
KSK - is generated and activated by a Security Officer together with a System Administrator/Trusted witness. ZSK - is generated and activated automatically by the DNSSEC system.
KSK - is deactivated by a Security Officer together with a System Administrator/Trusted witness once it reaches the limit of the usage period. ZSK - is deactivated automatically by the system if it reaches the limit of the usage period and if new ZSK is published and available.
Private keys will not be destroyed and will be sent to archive.
Public keys are archived in accordance with the archiving of other information relevant to traceability in the system, such as log data.
The upper limit of usage period for KSK is three years plus appropriate period for transition. The upper limit of usage period for ZSK is 50 days. The Registry may change these periods as necessary. Old keys are never reused.
The registry has logically sectioned networks that are divided into various security zones with secured communications in-between. Logging is conducted in the firewalls. All sensitive information that is transferred over the communications network is always protected by strong encryption.
The DNSSEC systems securely synchronize their system clocks with a trusted time source inside the NIC.LV network.
The Registry controls each process at system development and evaluates the system prior to deploying it, in order to maintain the quality and security of the NIC.LV DNSSEC Service System. All source code is stored in a version control system. The source code archive is regularly backed up and copies are stored separately in a fireproof safe.
NIC.LV has technologies and policies in place to control and monitor the configurations of its systems. A security audit will be repeated at regular intervals.
The DNSSEC system is designed to require a minimum of maintenance. Updates critical to the security and operations of the signer system will be applied after formal testing and approval.
The signing of the .LV zone will use the following parameters. Any change to these parameters will be reflected in this document.
The RSA algorithm with a key length of 2048 bits is used for generating KSKs and a key length of 1024 bits used for generating ZSKs.
The Registry uses NSEC3 with OPT-OUT as defined in RFC 5155.
Signatures are generated using RSA operation over a cryptographic hash function using SHA-256 (RSA/SHA-256, RFC 5702).
The expected lifetime of the ZSK is 50 days with pre-publish method described in RFC 4641.
In the LV zone, roll-over of KSK is carried out once every three years or as needed with double signature method described in RFC 4641.
ZSK signatures will last from 5 to 60 days and will be resigned with each new zone.
Before publishing a signed zone on the name server, the zone must pass a number of checks:
Verification of the chain of trust from the DS Record in the root zone to the signature of the SOA record in the .LV zone Verification that the validity period of the signature of the SOA-Record is at least 5 days in the future Pass a number of predefined queries (with DNSSEC enabled) for special records in the zone
NIC.LV verifies that all resource records are valid according to the current standards prior to distribution. The integrity of the unsigned zone contents is also validated prior to distribution.
DNSKEY - Equal to the TTL used for the SOA record.
NSEC3 - Equal to the minimum field of the SOA record.
DS - Equal to the TTL used for the NS record.
RRSIG - varies, depending on the RRset signed.
Audits are conducted using retained logs and other relevant information to ensure that the proper procedures have been executed accurately. The Registry applies operational improvements to the NIC.LV DNSSEC Service as necessary.
Every two years NIC.LV engages external auditors to check on compliance with the security policy and procedures. Circumstances which might lead to additional audits being carried out include recurring anomalies, significant staff changes or changes in equipment.
The auditor must be able to demonstrate proficiency with IT security tools, security auditing, DNS and DNSSEC.
The Registry has no legal responsibilities for the matters described in this DPS. NIC.LV accepts no financial responsibility for improper use of Trust anchors or signatures, or any other improper use under this DPS. NIC.LV reserves the right to disable DNSSEC at any moment if the stability of .LV is at risk.
This DPS is valid until it is replaced by a new version.
Disputes among DNSSEC participants shall be resolved pursuant to provisions in the applicable agreements among the parties.
When operating the NIC.LV DNSSEC Service, the Registry follows the laws of the Republic of Latvia and the rules and procedures defined by the Registry.