modernisation-platform icon indicating copy to clipboard operation
modernisation-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

ITHC Consider/Implement AWS DNSSEC

Open dms1981 opened this issue 3 years ago • 1 comments

User Story

As a modernisation platform engineer I want to investigate AWS DNSSEC for public Route53 zones So that our public domains are secured

Value

Our IT Healthcheck identified some points of configuration that could be adjusted to improve our security posture. AWS offer DNSSEC for domains in Route53, and as we publicly advertise gov.uk addresses we should consider the value of implementing DNSSEC for them. Implementing DNSSEC may come with additional costs in technical time, but will improve the security of services we offer, protecting them from situations such as DNS poisoning attacks.

Questions / Assumptions

See ITHC report for further details. Consider the cost in technical time from implementing/maintaining DNSSEC and the potential impact of failing to properly maintain this once implemented.

Definition of done

  • [ ] decision on DNSSEC has been reached with tech arch / product owner
  • [ ] DNSSEC successfully implemented
  • [ ] team documentation has been updated
  • [ ] another team member has reviewed
  • [ ] tests are green
  • [ ] public FQDNs tested successfully

Reference

How to write good user stories

dms1981 avatar Feb 11 '22 09:02 dms1981

Currently not possible as neither the service.justice.gov.uk or justice.gov.uk subdomains have DNSSEC enabled so we cannot establish a chain of trust

davidkelliott avatar Sep 28 '22 15:09 davidkelliott

Closed as we cannot do now - it is still on the risk register

SimonPPledger avatar Oct 31 '23 10:10 SimonPPledger