Best current practices for acquiring and using domain names

Domain names enable the association of a computer resource such as an IP address to a user-friendly readable and easy-to-remember name, such as www.ssi.gouv.fr.

Recent news showed that domain name service providers are significant risk vectors. Their compromise can lead to traffic and e-mail interception, denial of service, or even website defacement.

The stakes related to the acquisition of domain names from service providers and their usage must be fully understood by CISO and system and network architects of all entities having an Internet presence.

To answer these pitfalls, the French Network and Information Security Agency (ANSSI) publishes these guidelines: « Best Current Practices for Acquiring and Using Domain Names ». This document provides general guidance covering both organizational and technical aspects.

Recommendations cover:

• contractual requirements that domain name holders should consider during the acquisition process of a domain name from a service provider, including the availability of security mechanisms (registry lock, hardened authentication procedure, etc.) and service level agreements.
• guidance regarding system and network architecture for a robust and resilient deployment of authoritative name servers, including system hardening, deployment of mitigation strategies against distributed denial of service attacks, infrastructure diversification, and state-of-the-art follow-ups.

ANSSI encourages Internet stakeholders to internalize these guidelines and to follow them as closely and as soon as possible.