One document matched: draft-ietf-dnssec-as-map-04.txt
Differences from draft-ietf-dnssec-as-map-03.txt
INTERNET-DRAFT Mapping A.S. Number into the DNS
May 1997
Expires November 1997
Mapping Autonomous Systems Number into the Domain Name System
------- ---------- ------- ------ ---- --- ------ ---- ------
Donald E. Eastlake 3rd
Status of This Document
This draft, file name draft-ietf-dnssec-as-map-04.txt, is intended to
be become a standards track RFC concerning utilization of the Domain
Name System (DNS) to support routing security. Distribution of this
document is unlimited. Comments should be sent to the DNS Security
Working Group mailing list <dns-security@tis.com> or to the author.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet-
Drafts as reference material or to cite them other than as a
``working draft'' or ``work in progress.''
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (East USA), ftp.isi.edu (West USA),
nic.nordu.net (North Europe), ftp.nis.garr.it (South Europe),
munnari.oz.au (Pacific Rim), or ftp.is.co.za (Africa).
Donald E. Eastlake 3rd [Page 1]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
Abstract
One requirement of secure routing is that independent routing
entities, such as those identified by Internet Autonomous System
Numbers, be able to authenticate messages to each other. Additions
have developed to the Domain Name System to enable it to be used for
authenticated public key distribution [RFC 2065]. This draft maps
all Autonomous System numbers into DNS Domain Names so that the DNS
can be used to distribute their public keys.
Acknowledgements
The contributions of the following persons, listed in alphabetic
order, to this draft are gratefully acknowledged:
Ran Atkinson
Christian Huitema
Tony Li
Michael A. Patton.
Donald E. Eastlake 3rd [Page 2]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
Table of Contents
Status of This Document....................................1
Abstract...................................................2
Acknowledgements...........................................2
Table of Contents..........................................3
1. Introduction............................................4
2. Autonomous System Number Mapping........................5
3. Meaning of RRs..........................................6
4. Security Considerations.................................8
References.................................................8
Author's Address...........................................8
Expiration and File Name...................................8
Donald E. Eastlake 3rd [Page 3]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
1. Introduction
There are a number of elements required to secure routing in the
Internet. One of these is a way that independently operated top
level routing domains be able to authenticate messages to each other.
Sharing a private symmetric key between each pair of such domains is
impractical. The Autonomous System numbering scheme provides for
2**16 such domains which implies approximately 2**31 pairs, an
impractical number of keys to securely generate, install, and
periodically replace.
The solution is to use public key technology whereby each domain has
a private key it can use to sign messages. Other domains that know
the corresponding public key can then authenticate these messages.
Such authenticated messages can be used to set up and maintain
efficient symmetric keys on an as needed basis.
But how do the domains securely obtain the Autonomous System number
to public key mapping?
Extensions have been developed for the Domain Name System that enable
it to be conveniently used for authenticated public key distribution
[RFC 2065]. A variety of key types can be supported. All that is
required is a mapping of Autonomous System numbers into domain names,
which is provided by this draft.
It should be noted that the public keys retrieved from DNS will
likely be used primarily to authenticate initial connection set up
messages. Autonomous Systems that need to converse with any
frequency will probably negotiate more efficient session keys.
Donald E. Eastlake 3rd [Page 4]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
2. Autonomous System Number Mapping
Autonomous System (A.S.) numbers are 16 bit quantities, usually
written as decimal number whose maximum value would be 65,535. For
example, ANS is autonomous system 690. The A.S. number is mapped
into a domain name as described below.
Divide the A.S. number into 4 bit nibbles starting with the most
significant 4 bits. Represent each nibble as a decimal number,
reverse their order and put a period between them, and then append
".in-as.arpa". This mapping is analogous to the IPv4 address mapping
into the in-addr.arpa DNS domain.
Thus the domain name correspond to Autonomous System 690 (decimal) is
2.11.2.0.in-as.arpa.
the domain corresponding to the largest possible A.S. number is
15.15.15.15.in-as.arpa
and the domain corresponding to A.S. number 65,000 is
8.14.13.15.in-as.arpa.
Donald E. Eastlake 3rd [Page 5]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
3. Meaning of RRs
The following guidance is given for some RR types that could be
stored under the names mapped from A.S. numbers. The KEY RR is given
first, followed by the SIG RR, the NXT RR, and then some additional
RR types in alphabetic order.
KEY: This type of resource record associates a public key with
the Autonomous System (A.S.) designated by its name. Such a public
key can be used to authenticate communications with or between A.S.s.
The existence of KEY RRs in the reason for mapping A.S. names into
the DNS. Under DNS security as proposed in RFC 2065 the KEY RR can
be used to store a variety of digital keys. In this case, the entity
key bit should be on in the KEY RR flags field.
SIG: The SIG signature resource record authenticates the RRs
that it signs as described in RFC 2065. Assuming the signer who
generated the SIG is trustworthy, such as the in-as.arpa zone owner,
then the signed RRs can be trusted.
NXT: An NXT RR is used in DNS security to provide authenticated
denial of the existence of types and names as described in RFC 2065.
A: DO NOT place type A RRs at A.S. nodes. A.S. domain names are
reserved for Autonomous Systems only and should NOT be used for a
host or any type of end entity other than an Autonomous System.
CNAME: This type of RR is an alias pointing to another domain
name. An A.S. could have a CNAME pointing to a different A.S. but
this is not likely to be very useful as A.S. RRs will normally be
looked up when the A.S. number is actually encountered in use.
MX: There is no special use for an MX RR for an A.S. name. It
could point to a host that would accept mail related to that A.S.
NS: The presence of NS records under an in-as.arpa name means
that it has been carved out as a subzone. This gives the A.S.
complete control over the zone refresh parameters and control over
the creation of inferior names. No special meaning is currently
assigned to such inferior names so, although this is not advised,
they could be used for hosts or whatever.
PTR: The part of the forward domain tree that administratively
corresponds to the A.S. should be indicated by a PTR RR. It some
entity, say example.xx, has several A.S.s, there would be PTRs to
example.xx from several names in the in-as.arpa hierarchy.
RP: A Responsible Person RR SHOULD appear under each A.S. name
telling you who you should contact in the case of problems with that
A.S.
Donald E. Eastlake 3rd [Page 6]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
TXT: Text RRs can be used for comments, postal address, or
similar notes under an A.S. name.
Donald E. Eastlake 3rd [Page 7]
INTERNET-DRAFT Mapping A.S. Numbers into the DNS
4. Security Considerations
The entirety of this document concerns a means to map Internet
Autonomous System numbers into the Domain Name System (DNS) so that
DNS can be used to provide secure distribution of Autonomous System's
public keys.
References
[RFC 904] - Exterior Gateway Protocol Formal Specification, D. L.
Mills, April 1984.
[RFC 1034] - Domain Names - Concepts and Facilities, P. Mockapetris,
November 1987
[RFC 1035] - Domain Names - Implementation and Specifications, P.
Mockapetris, November 1987.
[RFC 2065] - Domain Name System Security Extensions, D. Eastlake, C.
Kaufman, January 1997.
Author's Address
Donald E. Eastlake 3rd
CyberCash, Inc.
318 Acton Street
Carlisle, MA 01741 USA
Telephone: +1 508 287 4877
FAX: +1 508 371 7148
EMail: dee@cybercash.com
Expiration and File Name
This draft expires November 1997.
Its file name is draft-ietf-dnssec-as-map-04.txt.
Donald E. Eastlake 3rd [Page 8]
| PAFTECH AB 2003-2026 | 2026-04-22 05:47:11 |