This document is drafted in accordance with the provisions of GB/T 1.1-202 "standardization guidelines Part 1: the structure of standardization documents and drafting rules".
This document replaces GB/T33134-2016 "Information security technology public domain name service system security requirements", compared with GB/T 33134-2016, in addition to structural adjustments and editorial changes, the main technical changes are as follows.
a) increased the term "name space" and "public domain name service system" (see 3.1, 3.11).
b) The description of Figure 1 was deleted (see Chapter 5, 4.1 of the 2016 version).
Added the security requirements on important DNS infrastructure deployment and public domain name service system for important government websites (see Chapter 5
c) Chapter 4.2 of the 2016 version).
d) changed the protocol requirements (see 6.1.1, 6.2,1, 5.1,1, 5.2.1 of the 2016 version).
e) added system security requirements and parsing security requirements for authoritative servers (see 6.1.3).
f) added security requirements for connection between recursive server and client (see 6.2.3).
g) Added system security requirements and parsing security requirements for recursive servers (see 6.2.4).
h) Changed the requirements for access control of external services (see 7.7.1, 2016 version of 6.7.1).
Added security requirements for critical DNS infrastructure deployment (see A.1 in Appendix); i) Added security requirements for public domain name service system for important government websites (see A.2 in Appendix A). Please note that some of the contents of this document may be proprietary. The issuer of this document does not assume responsibility for identifying patents. This document is proposed and categorized by the National Information Security Standardization Technical Committee (SAC/TC260).
1 Scope
This document specifies the security technical requirements and security management requirements of public domain name service system.
This document applies to the operation and management of public domain name service system at all levels.
2 Normative reference document
The following documents constitute the essential provisions of this document through the normative references in the text. Among them, note the date of the reference document, only the date of the corresponding version applies to this document; do not note the date of the reference document, its latest version (including all the change orders) applies to this document.
YD/T 2052-2015 Domain name system security protection requirements
YD/T 2137 Domain name system recursive server operation technical requirements
YD/T 2138 Domain name system authoritative server operation technical requirements
YD/ T 2142 based on the international multilingual domain name system of Chinese domain name general technical requirements
YD/T 2143 based on the international multilingual domain name system of the Chinese domain name coding processing technical requirements
YD/T 2438 Chinese domain name registration word list requirements based on the international multilingual domain name system
IETFRFC 1034 Domain name concept and infrastructure
IETFRFC 1035 Domain Name Implementation and Details
IETFRFC 4033 DNSSEC personal introduction and requirements
IETFRFC 4034 resource records support DNSSEC
IETFRFC 4035 Protocol Modification for DNSSEC Support
IETFRFC 8310 sage of TLS-based DNS and DTLS-based DNS
IETFRFC 8484 HTTPS-based DNS queries
3 Terminology and Definitions
The following terms and definitions apply to this document.
4 Abbreviations
The following abbreviations apply to this document.
AS:Autonomous System (Autonomous System)
5 Overview
Domain name service system is defined by a tree topology, by different categories of domain name service system service agencies responsible for different levels of domain name resolution services, the corresponding relationship is shown in Figure 1.
6 Public domain name service system security technical requirements
61 Authoritative domain name service system technical requirements
6.1.1 Protocol requirements
Authoritative domain name service system of the authoritative domain name server ("authoritative server") implementation shall comply with the provisions of IETFRFC1034, IETFRFC1035, IETFRFC4033, IETFRFC4034 and IETFRFC4035.
6.1.2 Topology Planning Requirements
For an authoritative domain, the number of servers providing authoritative domain resolution shall ensure multiple backups, and the servers providing authoritative domain resolution shall be deployed in multiple different autonomous domain networks and shall be reasonably distributed geographically to achieve disaster recovery purposes such as resistance to natural disasters. The specific deployment quantity and distribution requirements shall conform to the provisions of YD/T 2138.
6.1.3 Authoritative server security requirements
6.1.3.1 System security requirements
6.2 Recursive domain name service system technical requirements
6.2.1 Protocol requirements
Recursive domain name service system recursive domain name server ("recursive server") should have a secure query, cache and other basic functions, should comply with IETFRFC1034, IETFRFC1035, IETFRFC4033, IETFRFC4034 and IETFRFC4035 The provisions of the
6.2.2 Topology Planning Requirements
The number of servers providing recursive domain resolution for an autonomous domain should be guaranteed to be multiple backups. Different recursive servers in the same autonomous domain shall be deployed with corresponding distribution, so that there is no single point of failure in the path of two servers accessed by the same user. The specific deployment quantity and distribution requirements shall conform to the provisions of YD/T 2137.
6.2.3 Recursive server and client connection requirements
An encrypted and reliable connection between the recursive server and the client can be optionally established to transmit data. The recursive server can connect to the client via TLS or HTTPS based DNS.
a) If TLS-based DNS is chosen, it shall comply with the provisions of IETFRFC7858 and IETFRFC8310; if HTTPS-based DNS is chosen, it shall comply with the provisions of IETFRFC8484. 6)
6.2.4 Recursive server security requirements
6.2.4.1 System security requirements
System security shall meet the security level protection requirements of YD/T 2052-2015 on the third level and the proposed domain name system. The system security requirements are as follows
7 Public domain name service system security management requirements
7.1 Asset management requirements
7.1.1 Asset list
The assets involved in public domain name service shall be clearly identified, and the list of core assets of public domain name service system shall be prepared and maintained. The list shall include all assets needed for recovery from disaster, and the assets related to public domain name service system may include: information assets, software assets, physical assets, services, personnel, intangible assets, etc.
7.1.2 Responsible person for assets
All information and assets related to the Public Domain Name Service System shall be assigned to departments and personnel with responsibility. The person responsible for the assets shall: a) ensure that the information and assets related to the Public Domain Name Service System are properly and reasonably classified: b) determine and periodically review access restrictions and classifications.
7.1.3 Compliance Use of Assets
Rules for the use of information and assets associated with the public domain name service system shall be identified and documented for implementation.
7.7 Access control management requirements
7.7.1 Access control of external open services
Public domain name service system open service to the public is appropriate to open only UDP and TCP53 port, if support DH and DOT service, should also provide DoH protocol 443 port and DOT protocol 853 port.
7.7.2 Access control policy and user access management
Access control policy and user access management requirements are as follows.
a clearly defined in the access control policy for each user or each group of users access control rules and rights; 6 restrict and control the allocation and use of special privileges to prevent unauthorized access to multi-user systems should be controlled through the formal authorization process so that the allocation of special privileges: .
periodically check the allocation of permissions to ensure that the correct allocation of user access rights, the
Appendix A (normative) important DNS infrastructure and public domain name service system security requirements for important government websites
Foreword 1 Scope 2 Normative reference document 3 Terminology and Definitions 4 Abbreviations 5 Overview 6 Public domain name service system security technical requirements 7 Public domain name service system security management requirements Appendix A (normative) important DNS infrastructure and public domain name service system security requirements for important government websites
Foreword
This document is drafted in accordance with the provisions of GB/T 1.1-202 "standardization guidelines Part 1: the structure of standardization documents and drafting rules".
This document replaces GB/T33134-2016 "Information security technology public domain name service system security requirements", compared with GB/T 33134-2016, in addition to structural adjustments and editorial changes, the main technical changes are as follows.
a) increased the term "name space" and "public domain name service system" (see 3.1, 3.11).
b) The description of Figure 1 was deleted (see Chapter 5, 4.1 of the 2016 version).
Added the security requirements on important DNS infrastructure deployment and public domain name service system for important government websites (see Chapter 5
c) Chapter 4.2 of the 2016 version).
d) changed the protocol requirements (see 6.1.1, 6.2,1, 5.1,1, 5.2.1 of the 2016 version).
e) added system security requirements and parsing security requirements for authoritative servers (see 6.1.3).
f) added security requirements for connection between recursive server and client (see 6.2.3).
g) Added system security requirements and parsing security requirements for recursive servers (see 6.2.4).
h) Changed the requirements for access control of external services (see 7.7.1, 2016 version of 6.7.1).
Added security requirements for critical DNS infrastructure deployment (see A.1 in Appendix); i) Added security requirements for public domain name service system for important government websites (see A.2 in Appendix A). Please note that some of the contents of this document may be proprietary. The issuer of this document does not assume responsibility for identifying patents. This document is proposed and categorized by the National Information Security Standardization Technical Committee (SAC/TC260).
1 Scope
This document specifies the security technical requirements and security management requirements of public domain name service system.
This document applies to the operation and management of public domain name service system at all levels.
2 Normative reference document
The following documents constitute the essential provisions of this document through the normative references in the text. Among them, note the date of the reference document, only the date of the corresponding version applies to this document; do not note the date of the reference document, its latest version (including all the change orders) applies to this document.
YD/T 2052-2015 Domain name system security protection requirements
YD/T 2137 Domain name system recursive server operation technical requirements
YD/T 2138 Domain name system authoritative server operation technical requirements
YD/ T 2142 based on the international multilingual domain name system of Chinese domain name general technical requirements
YD/T 2143 based on the international multilingual domain name system of the Chinese domain name coding processing technical requirements
YD/T 2438 Chinese domain name registration word list requirements based on the international multilingual domain name system
IETFRFC 1034 Domain name concept and infrastructure
IETFRFC 1035 Domain Name Implementation and Details
IETFRFC 4033 DNSSEC personal introduction and requirements
IETFRFC 4034 resource records support DNSSEC
IETFRFC 4035 Protocol Modification for DNSSEC Support
IETFRFC 8310 sage of TLS-based DNS and DTLS-based DNS
IETFRFC 8484 HTTPS-based DNS queries
3 Terminology and Definitions
The following terms and definitions apply to this document.
4 Abbreviations
The following abbreviations apply to this document.
AS:Autonomous System (Autonomous System)
5 Overview
Domain name service system is defined by a tree topology, by different categories of domain name service system service agencies responsible for different levels of domain name resolution services, the corresponding relationship is shown in Figure 1.
6 Public domain name service system security technical requirements
61 Authoritative domain name service system technical requirements
6.1.1 Protocol requirements
Authoritative domain name service system of the authoritative domain name server ("authoritative server") implementation shall comply with the provisions of IETFRFC1034, IETFRFC1035, IETFRFC4033, IETFRFC4034 and IETFRFC4035.
6.1.2 Topology Planning Requirements
For an authoritative domain, the number of servers providing authoritative domain resolution shall ensure multiple backups, and the servers providing authoritative domain resolution shall be deployed in multiple different autonomous domain networks and shall be reasonably distributed geographically to achieve disaster recovery purposes such as resistance to natural disasters. The specific deployment quantity and distribution requirements shall conform to the provisions of YD/T 2138.
6.1.3 Authoritative server security requirements
6.1.3.1 System security requirements
6.2 Recursive domain name service system technical requirements
6.2.1 Protocol requirements
Recursive domain name service system recursive domain name server ("recursive server") should have a secure query, cache and other basic functions, should comply with IETFRFC1034, IETFRFC1035, IETFRFC4033, IETFRFC4034 and IETFRFC4035 The provisions of the
6.2.2 Topology Planning Requirements
The number of servers providing recursive domain resolution for an autonomous domain should be guaranteed to be multiple backups. Different recursive servers in the same autonomous domain shall be deployed with corresponding distribution, so that there is no single point of failure in the path of two servers accessed by the same user. The specific deployment quantity and distribution requirements shall conform to the provisions of YD/T 2137.
6.2.3 Recursive server and client connection requirements
An encrypted and reliable connection between the recursive server and the client can be optionally established to transmit data. The recursive server can connect to the client via TLS or HTTPS based DNS.
a) If TLS-based DNS is chosen, it shall comply with the provisions of IETFRFC7858 and IETFRFC8310; if HTTPS-based DNS is chosen, it shall comply with the provisions of IETFRFC8484. 6)
6.2.4 Recursive server security requirements
6.2.4.1 System security requirements
System security shall meet the security level protection requirements of YD/T 2052-2015 on the third level and the proposed domain name system. The system security requirements are as follows
7 Public domain name service system security management requirements
7.1 Asset management requirements
7.1.1 Asset list
The assets involved in public domain name service shall be clearly identified, and the list of core assets of public domain name service system shall be prepared and maintained. The list shall include all assets needed for recovery from disaster, and the assets related to public domain name service system may include: information assets, software assets, physical assets, services, personnel, intangible assets, etc.
7.1.2 Responsible person for assets
All information and assets related to the Public Domain Name Service System shall be assigned to departments and personnel with responsibility. The person responsible for the assets shall: a) ensure that the information and assets related to the Public Domain Name Service System are properly and reasonably classified: b) determine and periodically review access restrictions and classifications.
7.1.3 Compliance Use of Assets
Rules for the use of information and assets associated with the public domain name service system shall be identified and documented for implementation.
7.7 Access control management requirements
7.7.1 Access control of external open services
Public domain name service system open service to the public is appropriate to open only UDP and TCP53 port, if support DH and DOT service, should also provide DoH protocol 443 port and DOT protocol 853 port.
7.7.2 Access control policy and user access management
Access control policy and user access management requirements are as follows.
a clearly defined in the access control policy for each user or each group of users access control rules and rights; 6 restrict and control the allocation and use of special privileges to prevent unauthorized access to multi-user systems should be controlled through the formal authorization process so that the allocation of special privileges: .
periodically check the allocation of permissions to ensure that the correct allocation of user access rights, the
Appendix A (normative) important DNS infrastructure and public domain name service system security requirements for important government websites
Contents of GB/T 33134-2023
Foreword
1 Scope
2 Normative reference document
3 Terminology and Definitions
4 Abbreviations
5 Overview
6 Public domain name service system security technical requirements
7 Public domain name service system security management requirements
Appendix A (normative) important DNS infrastructure and public domain name service system security requirements for important government websites
