Zone Lock is an ironDNS® functionality that provides zone-based 2-factor authentication.
Example: financial sector
The financial sector, especially in the area of online transactions, is well-known for taking considerable care of security and integrity. For several years now it has been common practise for customers to secure each and every transaction during online banking by entering a TAN or some similar password that is valid only once.
Transfer: ironDNS®
It is common practise for ironDNS® to look beyond its own nose. Innovation does not necessarily mean to invent everything anew, but it may well mean to take an established process, adjust it, and implement it.
In this spirit the transaction-based 2-factor authentication was taken from online banking and transferred to the realm of DNS zones. Contrary to online banking it is possible for ironDNS® customers to decide for each zone on its own, whether it should benefit from the additional security or not.
Set-Up: simple and secure
Before Zone Lock can be used, the customers have to activate the service through ironDNS® support personnel and submit a PGP key. In this manual process it is checked whether the customers really are who they prentend to be and whether the submitted PGP key actually belongs to them.
Functionality: protect zones
After the set-up the customers can protect any (or all) of their zones by activating Zone Lock. Executing this action causes a new input field to appear in the ironDNS® Control Panel asking for a One Time Password (short: OTP). At the same time a PGP-encrypted e-mail is sent containing an OTP. Next to the password that is only valid for five minutes this e-mail contains information about the affected zones and the operation to be executed. After the decrypted OTP has been entered protection of the zones is active. Every future change (of course, including deactivation of Zone Lock) now likewise requires the input of a new OPT, which again is sent in a PGP-encrpyted e-mail.
Special Case: source name server
In case source name servers (the zone data is managed by an external master name server) is used, there are two differenent use cases:
- Zone Lock without automatic updates: In this case all changes of the zone are still only possible by entering an OTP. Should the source name server send a NOTIFY it will not lead to an automatic update of the zone data. The customers have to explicitely order an update of the zone with the current source server's data by use of an OTP.
- Zone Lock with automatic updates: In this case changes of the zone (in particular deletion) still require the input of an OTP. However, contrary to the first case, the data of the source name server is trusted implicitely and they are regularly automatically transferred to ironDNS®.