[dnssec-coord] HKMA developed a Cyber Fortification Initiative (CFI) which demands DNSSEC

Dan York york at isoc.org
Wed Dec 7 07:40:13 PST 2016


On Dec 7, 2016, at 8:22 AM, Daniel Stirnimann <daniel.stirnimann at switch.ch<mailto:daniel.stirnimann at switch.ch>> wrote:

I have been made aware that the Hong Kong Monetary Authority (HKMA) has
developed a Cyber Fortification Initiative (CFI). As far as I know this
document applies to financial institutions in Hong Kong only.

Many thanks for passing this info along.

One component of this initiative, the Cyber Resilience Assessment
Framework (C-RAF) has a list of security controls and one of them is:

"Domain Name System Security Extensions (DNSSEC) is deployed across the

I'm not sure if the above states that DNSSEC validation is needed or
that the enterprise needs to sign their zones.

I agree this is unfortunately vague. Validation? or signing?  (Both would be nice.)

In any case, this seems
to have already made the rounds to some Swiss banks which are doing
business in Hong Kong and which are now looking into DNSSEC signing
their zone (or at least their .hk domain).

Great to hear!  If any of us can be of assistance, please let us know.


P.S. Would you (or anyone else on the list) be interested in digging into this and making a short presentation (and it could be very short) about this at the ICANN 58 DNSSEC Workshop in Copenhagen in March?  It seems like the kind of thing that might be interesting to share with the wider community.

Dan York
Senior Content Strategist, Internet Society
york at isoc.org<mailto:york at isoc.org>   +1-802-735-1624
Jabber: york at jabber.isoc.org<mailto:york at jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://elists.isoc.org/pipermail/dnssec-coord/attachments/20161207/d00e42e8/attachment.html>

More information about the dnssec-coord mailing list