One document matched: draft-ietf-dnsext-dnssec-bis-updates-07.xml
<?xml version="1.0"?>
<!-- See http://xml.resource.org/ for tools on how to convert this text -->
<?rfc compact="yes" ?><?rfc editing="no" ?><?rfc sortrefs="yes" ?><?rfc symrefs="yes" ?><?rfc toc="yes" ?><rfc ipr="full3978" docName="draft-ietf-dnsext-dnssec-bis-updates-07" updates="4034, 4035">
<front>
<title abbrev="DNSSECbis Implementation Notes">
Clarifications and Implementation Notes for DNSSECbis
</title>
<author initials="S." surname="Weiler" fullname="Samuel Weiler">
<organization>SPARTA, Inc.</organization>
<address>
<postal>
<street>7110 Samuel Morse Drive</street>
<city>Columbia, Maryland</city>
<code>21046</code>
<country>US</country>
</postal>
<email>weiler@tislabs.com</email>
</address>
</author>
<author initials="D." surname="Blacka" fullname="David Blacka">
<organization>VeriSign, Inc.</organization>
<address>
<postal>
<street>21345 Ridgetop Circle</street>
<city>Dulles</city>
<region>VA</region>
<code>20166</code>
<country>US</country>
</postal>
<email>davidb@verisign.com</email>
</address>
</author>
<!-- <author initials="R." surname="Austein" fullname="Rob Austein"> -->
<!-- <organization> ISC </organization> -->
<!-- <address> -->
<!-- <postal> -->
<!-- <street> 950 Charter Street </street> -->
<!-- <city> Redwood City </city> -->
<!-- <region> CA </region> -->
<!-- <code> 94063 </code> -->
<!-- <country> USA </country> -->
<!-- </postal> -->
<!-- <email> sra@isc.org </email> -->
<!-- </address> -->
<!-- </author> -->
<date year="2008"/>
<keyword>DNSSEC</keyword>
<!-- <area>Internet</area> -->
<abstract>
<t>This document is a collection of minor technical
clarifications to the DNSSECbis document set. It is meant to
serve as a resource to implementors as well as an interim
repository of DNSSECbis errata.</t>
</abstract>
</front>
<middle>
<section title="Introduction and Terminology">
<t>This document lists some minor clarifications and corrections
to DNSSECbis, as described in <xref target="RFC4033"/>, <xref target="RFC4034"/>, and <xref target="RFC4035"/>.</t>
<t>It is intended to serve as a resource for implementors and as
a repository of items that need to be addressed when advancing
the DNSSECbis documents from Proposed Standard to Draft
Standard.</t>
<t>Proposed substantive additions to this document should be
sent to the namedroppers mailing list as well as to the editors
of this document. The editors would greatly prefer
contributions of text suitable for direct inclusion in this
document.</t>
<section title="Structure of this Document">
<t>The clarifications to DNSSECbis are sorted according to the
editors' impression of their importance, starting with ones
which could, if ignored, lead to security and stability
problems and progressing down to clarifications that are
likely to have little operational impact.</t>
</section>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119"/>.</t>
</section>
</section>
<section title="Significant Concerns" anchor="major">
<t>This section provides clarifications that, if overlooked,
could lead to security issues or major interoperability
problems.</t>
<section title="Clarifications on Non-Existence Proofs" anchor="nsec-bug">
<t><xref target="RFC4035"/> Section 5.4 slightly
underspecifies the algorithm for checking non-existence
proofs. In particular, the algorithm there might incorrectly
allow the NSEC from an ancestor zone to prove the
non-existence of other RRs at that name in the child zone or
other names in the child zone. It might also allow a NSEC at
the same name as a DNAME to prove the non-existence of names
beneath that DNAME.</t>
<t>An ancestor delegation NSEC (one with the NS bit set, but
no SOA bit set, and with a signer field that's shorter than
the owner name) MUST NOT be used to assume non-existence of
any RRs below that zone cut (both RRs at that ownername and at
ownernames with more leading labels, no matter their content).
Similarly, an NSEC with the DNAME bit set must not be used to
assume the non-existence of any subdomain of that NSEC's owner
name.</t>
</section>
<section title="Validating Responses to an ANY Query" anchor="any-queries">
<t><xref target="RFC4035"/> does not address how to validate
responses when QTYPE=*. As described in Section 6.2.2 of
<xref target="RFC1034"/>, a proper response to QTYPE=* may
include a subset of the RRsets at a given name -- it is not
necessary to include all RRsets at the QNAME in the
response.</t>
<t>When validating a response to QTYPE=*, validate all
received RRsets that match QNAME and QCLASS. If any of those
RRsets fail validation, treat the answer as Bogus. If there
are no RRsets matching QNAME and QCLASS, validate that fact
using the rules in <xref target="RFC4035"/> Section 5.4 (as
clarified in this document). To be clear, a validator must
not expect to receive all records at the QNAME in response to
QTYPE=*.</t>
</section>
<section title="Check for CNAME" anchor="check-cname">
<t>Section 5 of <xref target="RFC4035"/> says little about
validating responses based on (or that should be based on)
CNAMEs. When validating a NODATA response, it's important to
check the CNAME bit in the NSEC bitmap. If the CNAME bit is
set, the validator MUST validate the CNAME RR and follow it,
as appropriate.</t>
</section>
<section title="Unsecure Delegation Proofs">
<t><xref target="RFC4035"/> Section 5.2 specifies that a
validator, when proving a delegation is unsecure, needs to
check for the absence of the DS and SOA bits in the NSEC type
bitmap. The validator also needs to check for the presence of
the NS bit in the NSEC RR (proving that there is, indeed, a
delegation). If this is not checked, spoofed unsigned
delegations might be used to claim that an existing signed
record is not signed.</t>
</section>
<section title="Errors in Canonical Form Type Code List">
<t>When canonicalizing DNS names, DNS names in the RDATA
section of NSEC and RRSIG resource records are not
downcased.</t>
<t><xref target="RFC4034"/> Section 6.2 item 3 has a list of
resource record types for which DNS names in the RDATA are
downcased for purposes of DNSSEC canonical form (for both
ordering and signing). That list erroneously contains NSEC
and RRSIG. According to <xref target="RFC3755"/>, DNS names
in the RDATA of NSEC and RRSIG should not be downcased.</t>
<t>The same section also lists HINFO twice. The implementor
is encouraged to exercise good discretion and professional
judgment when deciding whether to downcase such DNS names once
or twice. <xref target="RFC3597"/> contained the same error
and, since it predated RFC3755, it doesn't mention RRSIG or
NSEC.</t>
</section>
</section>
<section title="Interoperability Concerns" anchor="interop">
<section title="Unknown DS Message Digest Algorithms" anchor="hash">
<t>Section 5.2 of <xref target="RFC4035"/> includes rules for
how to handle delegations to zones that are signed with
entirely unsupported algorithms, as indicated by the
algorithms shown in those zone's DS RRsets. It does not
explicitly address how to handle DS records that use
unsupported message digest algorithms. In brief, DS records
using unknown or unsupported message digest algorithms MUST be
treated the same way as DS records referring to DNSKEY RRs of
unknown or unsupported algorithms.</t>
<t>The existing text says:</t>
<t>
<list>
<t>If the validator does not support any of the algorithms
listed in an authenticated DS RRset, then the resolver has
no supported authentication path leading from the parent
to the child. The resolver should treat this case as it
would the case of an authenticated NSEC RRset proving that
no DS RRset exists, as described above.</t>
</list>
</t>
<t>To paraphrase the above, when determining the security
status of a zone, a validator discards (for this purpose only)
any DS records listing unknown or unsupported algorithms. If
none are left, the zone is treated as if it were unsigned.</t>
<t>Modified to consider DS message digest algorithms, a
validator also discards any DS records using unknown or
unsupported message digest algorithms.</t>
</section>
<section title="Private Algorithms" anchor="private">
<t>As discussed above, section 5.2 of <xref target="RFC4035"/>
requires that validators make decisions about the security
status of zones based on the public key algorithms shown in
the DS records for those zones. In the case of private
algorithms, as described in <xref target="RFC4034"/> Appendix
A.1.1, the eight-bit algorithm field in the DS RR is not
conclusive about what algorithm(s) is actually in use.</t>
<t>If no private algorithms appear in the DS set or if any
supported algorithm appears in the DS set, no special
processing will be needed. In the remaining cases, the
security status of the zone depends on whether or not the
resolver supports any of the private algorithms in use
(provided that these DS records use supported hash functions,
as discussed in <xref target="hash"/>). In these cases, the
resolver MUST retrieve the corresponding DNSKEY for each
private algorithm DS record and examine the public key field
to determine the algorithm in use. The security-aware
resolver MUST ensure that the hash of the DNSKEY RR's owner
name and RDATA matches the digest in the DS RR. If they do
not match, and no other DS establishes that the zone is
secure, the referral should be considered BAD data, as
discussed in <xref target="RFC4035"/>.</t>
<t>This clarification facilitates the broader use of private
algorithms, as suggested by <xref target="RFC4955"/>.</t>
</section>
<section title="Caution About Local Policy and Multiple RRSIGs" anchor="multi-rrsigs">
<t>When multiple RRSIGs cover a given RRset, <xref target="RFC4035"/> Section 5.3.3 suggests that "the local
resolver security policy determines whether the resolver also
has to test these RRSIG RRs and how to resolve conflicts if
these RRSIG RRs lead to differing results." In most cases, a
resolver would be well advised to accept any valid RRSIG as
sufficient. If the first RRSIG tested fails validation, a
resolver would be well advised to try others, giving a
successful validation result if any can be validated and
giving a failure only if all RRSIGs fail validation.</t>
<t>If a resolver adopts a more restrictive policy, there's a
danger that properly-signed data might unnecessarily fail
validation, perhaps because of cache timing issues.
Furthermore, certain zone management techniques, like the
Double Signature Zone-signing Key Rollover method described in
section 4.2.1.2 of <xref target="RFC4641"/> might not work
reliably.</t>
</section>
<section title="Key Tag Calculation" anchor="key-tags">
<t><xref target="RFC4034"/> Appendix B.1 incorrectly defines
the Key Tag field calculation for algorithm 1. It correctly
says that the Key Tag is the most significant 16 of the least
significant 24 bits of the public key modulus. However, <xref target="RFC4034"/> then goes on to incorrectly say that this
is 4th to last and 3rd to last octets of the public key
modulus. It is, in fact, the 3rd to last and 2nd to last
octets.</t>
</section>
<section title="Setting the DO Bit on Replies" anchor="clear-do-bit">
<t><xref target="RFC4035"/> does not provide any instructions
to servers as to how to set the DO bit. Some authoritative
server implementations have chosen to copy the DO bit settings
from the incoming query to the outgoing response. Others have
chosen to never set the DO bit in responses. Either behavior
is permitted. To be clear, in replies to queries with the
DO-bit set servers may or may not set the DO bit.</t>
</section>
</section>
<section title="Minor Corrections and Clarifications" anchor="minor">
<section title="Finding Zone Cuts" anchor="grandparent">
<t>Appendix C.8 of <xref target="RFC4035"/> discusses sending
DS queries to the servers for a parent zone. To do that, a
resolver may first need to apply special rules to discover
what those servers are.</t>
<t>As explained in Section 3.1.4.1 of <xref target="RFC4035"/>, security-aware name servers need to apply
special processing rules to handle the DS RR, and in some
situations the resolver may also need to apply special rules
to locate the name servers for the parent zone if the resolver
does not already have the parent's NS RRset. Section 4.2 of
<xref target="RFC4035"/> specifies a mechanism for doing
that.</t>
</section>
<section title="Clarifications on DNSKEY Usage" anchor="keys">
<t>Questions of the form "can I use a different DNSKEY for
signing this RRset" have occasionally arisen.</t>
<t>The short answer is "yes, absolutely". You can even use a
different DNSKEY for each RRset in a zone, subject only to
practical limits on the size of the DNSKEY RRset. However, be
aware that there is no way to tell resolvers what a
particularly DNSKEY is supposed to be used for -- any DNSKEY
in the zone's signed DNSKEY RRset may be used to authenticate
any RRset in the zone. For example, if a weaker or less
trusted DNSKEY is being used to authenticate NSEC RRsets or
all dynamically updated records, that same DNSKEY can also be
used to sign any other RRsets from the zone.</t>
<t>Furthermore, note that the SEP bit setting has no effect on
how a DNSKEY may be used -- the validation process is
specifically prohibited from using that bit by <xref target="RFC4034"/> section 2.1.2. It is possible to use a
DNSKEY without the SEP bit set as the sole secure entry point
to the zone, yet use a DNSKEY with the SEP bit set to sign all
RRsets in the zone (other than the DNSKEY RRset). It's also
possible to use a single DNSKEY, with or without the SEP bit
set, to sign the entire zone, including the DNSKEY RRset
itself.</t>
</section>
<section title="Errors in Examples" anchor="examples-nits">
<t>The text in <xref target="RFC4035"/> Section C.1 refers to
the examples in B.1 as "x.w.example.com" while B.1 uses
"x.w.example". This is painfully obvious in the second
paragraph where it states that the RRSIG labels field value of
3 indicates that the answer was not the result of wildcard
expansion. This is true for "x.w.example" but not for
"x.w.example.com", which of course has a label count of 4
(antithetically, a label count of 3 would imply the answer was
the result of a wildcard expansion).</t>
<t>The first paragraph of <xref target="RFC4035"/> Section C.6
also has a minor error: the reference to "a.z.w.w.example"
should instead be "a.z.w.example", as in the previous
line.</t>
</section>
</section>
<section title="IANA Considerations">
<t>This document specifies no IANA Actions.</t>
</section>
<section title="Security Considerations" anchor="security">
<t>This document does not make fundamental changes to the DNSSEC
protocol, as it was generally understood when DNSSECbis was
published. It does, however, address some ambiguities and
omissions in those documents that, if not recognized and
addressed in implementations, could lead to security failures.
In particular, the validation algorithm clarifications in <xref target="major"/> are critical for preserving the security
properties DNSSEC offers. Furthermore, failure to address some
of the interoperability concerns in <xref target="interop"/>
could limit the ability to later change or expand DNSSEC,
including by adding new algorithms.</t>
</section>
</middle>
<back>
<references title="Normative References">
<!-- Begin inclusion: reference.RFC.4033.xml --><reference anchor="RFC4033">
<front>
<title>DNS Security Introduction and Requirements</title>
<author fullname="R. Arends" initials="R." surname="Arends">
<organization/>
</author>
<author fullname="R. Austein" initials="R." surname="Austein">
<organization/>
</author>
<author fullname="M. Larson" initials="M." surname="Larson">
<organization/>
</author>
<author fullname="D. Massey" initials="D." surname="Massey">
<organization/>
</author>
<author fullname="S. Rose" initials="S." surname="Rose">
<organization/>
</author>
<date month="March" year="2005"/>
<keyword>domain name system</keyword>
<keyword>authentication</keyword>
<keyword>origin integrity</keyword>
<keyword>dnssec</keyword>
<keyword>domain name system security extensions </keyword>
<abstract>
<t>The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4033"/>
<format type="TXT" octets="52445" target="http://www.rfc-editor.org/rfc/rfc4033.txt"/>
<!-- obsoletes RFC2535 RFC3008 RFC3090 RFC3445 RFC3655 RFC3658 RFC3755 RFC3757 RFC3845 -->
<!-- updates RFC1034 RFC1035 RFC2136 RFC2181 RFC2308 RFC3225 RFC3007 RFC3597 RFC3226 -->
<!-- current-status PROPOSED STANDARD -->
<!-- publication-status PROPOSED STANDARD -->
</reference><!-- End inclusion: reference.RFC.4033.xml -->
<!-- Begin inclusion: reference.RFC.4034.xml --><reference anchor="RFC4034">
<front>
<title>Resource Records for the DNS Security Extensions</title>
<author fullname="R. Arends" initials="R." surname="Arends">
<organization/>
</author>
<author fullname="R. Austein" initials="R." surname="Austein">
<organization/>
</author>
<author fullname="M. Larson" initials="M." surname="Larson">
<organization/>
</author>
<author fullname="D. Massey" initials="D." surname="Massey">
<organization/>
</author>
<author fullname="S. Rose" initials="S." surname="Rose">
<organization/>
</author>
<date month="March" year="2005"/>
<keyword>domain name system</keyword>
<keyword>authentication</keyword>
<keyword>origin integrity</keyword>
<keyword>dnssec</keyword>
<keyword>domain name system security extensions </keyword>
<abstract>
<t>This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4034"/>
<format type="TXT" octets="63879" target="http://www.rfc-editor.org/rfc/rfc4034.txt"/>
<!-- obsoletes RFC2535 RFC3008 RFC3090 RFC3445 RFC3655 RFC3658 RFC3755 RFC3757 RFC3845 -->
<!-- updates RFC1034 RFC1035 RFC2136 RFC2181 RFC2308 RFC3225 RFC3007 RFC3597 RFC3226 -->
<!-- updated-by RFC4470 -->
<!-- current-status PROPOSED STANDARD -->
<!-- publication-status PROPOSED STANDARD -->
</reference><!-- End inclusion: reference.RFC.4034.xml -->
<!-- Begin inclusion: reference.RFC.4035.xml --><reference anchor="RFC4035">
<front>
<title>Protocol Modifications for the DNS Security Extensions</title>
<author fullname="R. Arends" initials="R." surname="Arends">
<organization/>
</author>
<author fullname="R. Austein" initials="R." surname="Austein">
<organization/>
</author>
<author fullname="M. Larson" initials="M." surname="Larson">
<organization/>
</author>
<author fullname="D. Massey" initials="D." surname="Massey">
<organization/>
</author>
<author fullname="S. Rose" initials="S." surname="Rose">
<organization/>
</author>
<date month="March" year="2005"/>
<keyword>domain name system</keyword>
<keyword>authentication</keyword>
<keyword>origin integrity</keyword>
<keyword>dnssec</keyword>
<keyword>domain name system security extensions </keyword>
<abstract>
<t>This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4035"/>
<format type="TXT" octets="130589" target="http://www.rfc-editor.org/rfc/rfc4035.txt"/>
<!-- obsoletes RFC2535 RFC3008 RFC3090 RFC3445 RFC3655 RFC3658 RFC3755 RFC3757 RFC3845 -->
<!-- updates RFC1034 RFC1035 RFC2136 RFC2181 RFC2308 RFC3225 RFC3007 RFC3597 RFC3226 -->
<!-- updated-by RFC4470 -->
<!-- current-status PROPOSED STANDARD -->
<!-- publication-status PROPOSED STANDARD -->
</reference><!-- End inclusion: reference.RFC.4035.xml -->
<!-- Begin inclusion: reference.RFC.2119.xml --><reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author fullname="S. Bradner" initials="S." surname="Bradner">
<organization/>
</author>
<date month="March" year="1997"/>
<keyword> Standards</keyword>
<keyword>Track</keyword>
<keyword>Documents </keyword>
<abstract>
<t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="BCP" value="14"/>
<format type="TXT" octets="4723" target="http://www.rfc-editor.org/rfc/rfc2119.txt"/>
<!-- current-status BEST CURRENT PRACTICE -->
<!-- publication-status BEST CURRENT PRACTICE -->
</reference><!-- End inclusion: reference.RFC.2119.xml -->
<!-- Begin inclusion: reference.RFC.1034.xml --><reference anchor="RFC1034">
<front>
<title>Domain names - concepts and facilities</title>
<author fullname="P.V. Mockapetris" initials="P.V." surname="Mockapetris">
<organization/>
</author>
<date month="November" year="1987"/>
<keyword> DOMAIN</keyword>
<abstract>
<t>This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="1034"/>
<seriesInfo name="STD" value="13"/>
<format type="TXT" octets="129180" target="http://www.rfc-editor.org/rfc/rfc1034.txt"/>
<!-- obsoletes RFC0973 RFC0882 RFC0883 -->
<!-- updated-by RFC1101 RFC1183 RFC1348 RFC1876 RFC1982 RFC2065 RFC2181 RFC2308 RFC2535 RFC4033 RFC4034 RFC4035 RFC4343 RFC4035 RFC4592 -->
<!-- current-status STANDARD -->
<!-- publication-status STANDARD -->
</reference><!-- End inclusion: reference.RFC.1034.xml -->
</references>
<references title="Informative References">
<!-- Begin inclusion: reference.RFC.3597.xml --><reference anchor="RFC3597">
<front>
<title>Handling of Unknown DNS Resource Record (RR) Types</title>
<author fullname="A. Gustafsson" initials="A." surname="Gustafsson">
<organization/>
</author>
<date month="September" year="2003"/>
<keyword>domain name system</keyword>
<keyword>name server software</keyword>
<keyword>compression</keyword>
<keyword>transparency </keyword>
<abstract>
<t>Extending the Domain Name System (DNS) with new Resource Record (RR) types currently requires changes to name server software. This document specifies the changes necessary to allow future DNS implementations to handle new RR types transparently. [STANDARDS TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3597"/>
<format type="TXT" octets="17559" target="http://www.rfc-editor.org/rfc/rfc3597.txt"/>
<!-- updates RFC2163 RFC2535 -->
<!-- updated-by RFC4033 RFC4034 RFC4035 -->
<!-- current-status PROPOSED STANDARD -->
<!-- publication-status PROPOSED STANDARD -->
</reference><!-- End inclusion: reference.RFC.3597.xml -->
<!-- Begin inclusion: reference.RFC.4955.xml --><reference anchor="RFC4955">
<front>
<title>DNS Security (DNSSEC) Experiments</title>
<author fullname="D. Blacka" initials="D." surname="Blacka">
<organization/>
</author>
<date month="July" year="2007"/>
<keyword>domain namespace</keyword>
<abstract>
<t>This document describes a methodology for deploying alternate, non-backwards-compatible, DNS Security (DNSSEC) methodologies in an experimental fashion without disrupting the deployment of standard DNSSEC. [STANDARDS TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4955"/>
<format type="TXT" octets="15417" target="http://www.rfc-editor.org/rfc/rfc4955.txt"/>
<!-- current-status PROPOSED STANDARD -->
<!-- publication-status PROPOSED STANDARD -->
</reference><!-- End inclusion: reference.RFC.4955.xml -->
<!-- Begin inclusion: reference.RFC.4641.xml --><reference anchor="RFC4641">
<front>
<title>DNSSEC Operational Practices</title>
<author fullname="O. Kolkman" initials="O." surname="Kolkman">
<organization/>
</author>
<author fullname="R. Gieben" initials="R." surname="Gieben">
<organization/>
</author>
<date month="September" year="2006"/>
<keyword>dns</keyword>
<keyword>domain name space</keyword>
<keyword>security extensions</keyword>
<keyword>zone administrator</keyword>
<keyword>DNS-SOC</keyword>
<keyword>cryptology</keyword>
<keyword>resource records</keyword>
<keyword>rrs</keyword>
<abstract>
<t>This document describes a set of practices for operating the DNS with security extensions (DNSSEC). The target audience is zone administrators deploying DNSSEC. The document discusses operational aspects of using keys and signatures in the DNS. It discusses issues of key generation, key storage, signature generation, key rollover, and related policies. This document obsoletes RFC 2541, as it covers more operational ground and gives more up-to-date requirements with respect to key sizes and the new DNSSEC specification. This memo provides information for the Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="4641"/>
<format type="TXT" octets="79894" target="http://www.rfc-editor.org/rfc/rfc4641.txt"/>
<!-- obsoletes RFC2541 -->
<!-- current-status INFORMATIONAL -->
<!-- publication-status INFORMATIONAL -->
</reference><!-- End inclusion: reference.RFC.4641.xml -->
<!-- Begin inclusion: reference.RFC.3755.xml --><reference anchor="RFC3755">
<front>
<title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
<author fullname="S. Weiler" initials="S." surname="Weiler">
<organization/>
</author>
<date month="May" year="2004"/>
<keyword> dnssec</keyword>
<keyword>DNS Security</keyword>
<keyword>rr</keyword>
<keyword>resource record</keyword>
<keyword>DNS-SECEXT</keyword>
<keyword>dns</keyword>
<keyword>authentication</keyword>
<keyword>nsec</keyword>
<keyword>nextsecure </keyword>
<abstract>
<t>As the DNS Security (DNSSEC) specifications have evolved, the syntax and semantics of the DNSSEC resource records (RRs) have changed. Many deployed nameservers understand variants of these semantics. Dangerous interactions can occur when a resolver that understands an earlier version of these semantics queries an authoritative server that understands the new delegation signer semantics, including at least one failure scenario that will cause an unsecured zone to be unresolvable. This document changes the type codes and mnemonics of the DNSSEC RRs (SIG, KEY, and NXT) to avoid those interactions. [STANDARDS TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="3755"/>
<format type="TXT" octets="19812" target="http://www.rfc-editor.org/rfc/rfc3755.txt"/>
<!-- obsoleted-by RFC4033 RFC4034 RFC4035 -->
<!-- updates RFC3658 RFC2535 -->
<!-- updated-by RFC3757 RFC3845 -->
<!-- current-status PROPOSED STANDARD -->
<!-- publication-status PROPOSED STANDARD -->
</reference><!-- End inclusion: reference.RFC.3755.xml -->
</references>
<section title="Acknowledgments">
<t>The editors would like the thank Rob Austein for his previous
work as an editor of this document.</t>
<t>The editors are extremely grateful to those who, in addition
to finding errors and omissions in the DNSSECbis document set,
have provided text suitable for inclusion in this document.</t>
<t>The lack of specificity about handling private algorithms, as
described in <xref target="private"/>, and the lack of
specificity in handling ANY queries, as described in <xref target="any-queries"/>, were discovered by David Blacka.</t>
<t>The error in algorithm 1 key tag calculation, as described in
<xref target="key-tags"/>, was found by Abhijit Hayatnagarkar.
Donald Eastlake contributed text for <xref target="key-tags"/>.</t>
<t>The bug relating to delegation NSEC RR's in <xref target="nsec-bug"/> was found by Roy Badami. Roy Arends found
the related problem with DNAME.</t>
<t>The errors in the <xref target="RFC4035"/> examples were
found by Roy Arends, who also contributed text for <xref target="examples-nits"/> of this document.</t>
<t>The editors would like to thank Ed Lewis, Danny Mayer, Olafur
Gudmundsson, Suzanne Woolf, and Scott Rose for their substantive
comments on the text of this document.</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:55:53 |