Deploy360 16 July 2012

How To Write A DNSSEC Practice Statement (DPS)

By Dan YorkDirector, Internet Technology

Are you planning to start using DNSSEC with your domain – and are you planning to start signing your domain yourself? In other words, are you going to be doing all the signing on your own server and/or in your own facilities?  (Versus using a service at a DNS hosting provider that does all the DNSSEC-signing for you.)

If you are, then a good place to start your planning is with the creation of what is called a “DNSSEC Practice Statement” or more simply a “DPS”.  A DPS is a document that outlines how you are implementing DNSSEC for your domain – and what security measures you are putting in place.

Basically, it is a statement that can help other people understand whether they can trust the security you put in place.

Typically the DPS documents created so far are for Top-Level Domains (TLDs) as they have been the focus of much of the DNSSEC deployment efforts to date.  For second-level domains, very often you may be able to use the services of your DNS hosting provider to sign your domains and so a full DPS may not be needed. But if you sign your own domain, a DPS can be a useful way to plan out the security for your signing.

Regardless of what you do, the existing DPS documents make for great reading to help you understand the security you may or may not need to put in place to ensure the security and integrity of our DNSSEC operations.

The place to begin for many of you may be to take a look at this Internet-Draft that explains the rationale for creating a DPS and provides a sample framework:

Some of you who like to simply dive into examples to see how a DPS is written may want to start looking through the examples we’ve added to this page:

DNSSEC Practice Statements

In particular you may want to start with the “.SE” DPS as the folks from .SE have been very involved with creating the entire DPS framework.  As you look through the examples, you’ll see a variety of different styles and lengths, from the very simple to the very complex.

If you have 15 minutes to spare, this video from 2010 offers Anne-Marie Eklund-Löwinder from .SE explaining the value of a DPS and what should be included:

The important aspect of a DNSSEC Practice Statement is to capture in one document how you are implementing DNSSEC and how you are securing the tools, servers and other components involved with DNSSEC.  Even if you are an enterprise who might never publicly publish a DPS, writing such a document can be a very useful exercise to ensure you are planning for all the necessary aspects of using DNSSEC to sign your domain.

P.S. If you create and publish a DPS, we’re always looking for more examples to add to our DPS page. Please let us know where your DPS is located online so that we can consider adding it to the page.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...