draft-ietf-dnsext-delegation-signer-02.txt   draft-ietf-dnsext-delegation-signer-03.txt 
DNSEXT Working Group Olafur Gudmundsson DNSEXT Working Group Olafur Gudmundsson
<draft-ietf-dnsext-delegation-signer-02.txt> <draft-ietf-dnsext-delegation-signer-03.txt>
Updates: RFC 1035, RFC 2535, RFC 3008. Updates: RFC 1035, RFC 2535, RFC 3008.
Delegation Signer record in parent. Delegation Signer record in parent.
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. provisions of Section 10 of RFC2026.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list Comments should be sent to the authors or the DNSEXT WG mailing list
namedroppers@ops.ietf.org namedroppers@ops.ietf.org
This draft expires on February 20, 2002. This draft expires on March 26, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All rights reserved. Copyright (C) The Internet Society (2001). All rights reserved.
Abstract Abstract
The Delegation Signer (DS) RR set is stored in a delegating (parent) The Delegation Signer (DS) RR set is stored in a delegating (parent)
zone at each delegation point, and indicates the keys used in the zone at each delegation point, and indicates the keys used in the
delegated (child) zone. The main design goal of the DS RR simplify the delegated (child) zone. The main design goal of the DS RR simplify the
operation of secure delegations by eliminating the need to store the operation of secure delegations by eliminating the need to store the
same RR in parent and child, as is done with the NS RR set and the KEY same RR in parent and child, as is done with the NS RR set and the KEY
set in RFC2535. set in RFC2535.
Secure resolvers need to take an additional step with DS to verify a Secure resolvers need to take an additional step with DS to verify a
child's KEY RR set. Operationally this schema is much simpler as child's KEY RR set. Operationally this schema is much simpler as
operation of the two zones at delegation is now decoupled to great operation of the two zones at delegation is now decoupled to great
extent. extent.
This document updates RFC1035, RFC2535 and RFC3008.
1 - Introduction 1 - Introduction
Familiarity with the DNS system [RFC1035], DNS security extensions Familiarity with the DNS system [RFC1035], DNS security extensions
[RFC2535] and DNSSEC terminology [RFC3090] is important. [RFC2535] and DNSSEC terminology [RFC3090] is important.
When the same data can reside in two administratively different DNS When the same data can reside in two administratively different DNS
zones, the data frequently gets out of sync. NS record in a zone zones, the data frequently gets out of sync. NS record in a zone
indicates that this name is a delegation and the NS record lists the indicates that this name is a delegation and the NS record lists the
authorative servers for the real zone. Based on actual measurements authorative servers for the real zone. Based on actual measurements
skipping to change at page 2, line 30 skipping to change at page 2, line 31
parent and child. There are number of reasons for this, including lack parent and child. There are number of reasons for this, including lack
of communication between parent and child and bogus name-servers being of communication between parent and child and bogus name-servers being
listed to meet registrar requirements. listed to meet registrar requirements.
DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its
KEY set signed by the parent to create a verifiable chain of KEYs. KEY set signed by the parent to create a verifiable chain of KEYs.
There is some debate, where the signed KEY set should reside, There is some debate, where the signed KEY set should reside,
parent[Parent] or child[RFC2535]. If the KEY set resides at the child, parent[Parent] or child[RFC2535]. If the KEY set resides at the child,
frequent two way communication is needed between the two parties. frequent two way communication is needed between the two parties.
First the child needs to transmit the key set to parent and then the First the child needs to transmit the key set to parent and then the
parent must send the signed set or signatures to child. If the KEY set parent sends the signed set or signatures to child. If the KEY set
resides at the parent the communication is reduced as the child only resides at the parent the communication is reduced as the child only
sends changed key sets to parent. sends changed key sets to parent.
DNSSEC[RFC2535] requires that the parent store NULL key set for DNSSEC[RFC2535] requires that the parent store NULL key set for
unsecure children, this complicates resolution process in many cases unsecure children, this complicates resolution process in many cases
as servers for both parent and child need to be queried for KEY set if as servers for both parent and child need to be queried for KEY set if
the child server does not return a KEY set. Storing the KEY record the child server does not return a KEY set. Storing the KEY record
only in the parent zone simplifies this and allows the elimination of only in the parent zone simplifies this and allows the elimination of
the NULL key set. the NULL key set.
Another complication of the DNSSEC KEY model is that KEY record is Another complication of the DNSSEC KEY model is that KEY record is
used to store DNS zone keys and public keys for other protocols. used to store DNS zone keys and public keys for other protocols.
There are number of potential problems with this including: There are number of potential problems with this including:
1. KEY set may become quite large if many applications/protocols 1. KEY set can become quite large if many applications/protocols
store their keys at the zone apex. Possible protocols are IPSEC, store their keys at the zone apex. Possible protocols are IPSEC,
HTTP, SMTP, SSH and others that use public key cryptography. HTTP, SMTP, SSH and others that use public key cryptography.
2. Key set may require frequent updates. 2. Key set may require frequent updates.
3. Probability of compromised/lost keys increases and triggers 3. Probability of compromised/lost keys increases and triggers
emergency key rollover procedures. emergency key rollover procedures.
4. Parent may refuse sign key sets with NON DNS zone keys.
4. Parent may refuse sign key sets with NON DNS zone keys.
5. Parent may not meet the child's expectations in turnaround time 5. Parent may not meet the child's expectations in turnaround time
in resigning the key set. in resigning the key set.
Given these and other reasons there is good reason to explore Given these and other reasons there is good reason to explore
alternatives to using only KEY records to create chain of trust. alternatives to using only KEY records to create chain of trust.
Some of these problems can be reduced or eliminated by operational Some of these problems can be reduced or eliminated by operational
rules or protocol changes. To reduce the number of keys at apex, a rules or protocol changes. To reduce the number of keys at apex, a
rule to require applications to store their KEY records at the SRV rule to require applications to store their KEY records at the SRV
name for that application is one possibility. Another is to restrict name for that application is one possibility. Another is to restrict
skipping to change at page 3, line 45 skipping to change at page 3, line 46
The chain of trust is now established by verifying the parent KEY set, The chain of trust is now established by verifying the parent KEY set,
the DS set from the parent and the KEY set at the child. This is the DS set from the parent and the KEY set at the child. This is
cryptographically equivalent to just using KEY records. cryptographically equivalent to just using KEY records.
Communication between the parent and child is greatly reduced, since Communication between the parent and child is greatly reduced, since
the child only needs to notify parent about changes in keys that sign the child only needs to notify parent about changes in keys that sign
its apex KEY RRset. Parent is ignorant of all other keys in the its apex KEY RRset. Parent is ignorant of all other keys in the
child's apex KEY RRset, and the child maintains full control over the child's apex KEY RRset, and the child maintains full control over the
apex KEY set and its content. Child can maintain any policies over apex KEY set and its content. Child can maintain any policies over
its DNS and other KEY usage with minimal impact on parent. Thus if its DNS and other KEY usage with minimal impact on parent. Thus if
child wants to have frequent key rollover for its DNS keys parent child wants to have frequent key rollover for its DNS keys parent does
does not need to be aware of it as the child can use one key to only not need to be aware of it as the child can use one key to only sign
sign its apex KEY set and other keys to sign the other record sets in its apex KEY set and other keys to sign the other record sets in the
the zone. zone.
This model fits well with slow roll out of DNSSEC and islands of This model fits well with slow roll out of DNSSEC and islands of
security model. In the islands of security model someone that trusts security model. In the islands of security model someone that trusts
"good.example." can preconfigure a key from "good.example." as a "good.example." can preconfigure a key from "good.example." as a
trusted keys and from then on trusts any data that is signed by that trusted keys and from then on trusts any data that is signed by that
key or has a chain of trust to that key. If "example." starts key or has a chain of trust to that key. If "example." starts
advertising DS records, "good.example." does not have to change advertising DS records, "good.example." does not have to change
operations, by suspending self-signing. DS records can also be used to operations, by suspending self-signing. DS records can also be used to
identify trusted keys instead of KEY records. One further advantage identify trusted keys instead of KEY records. One further advantage
is the information stored in the parent is minimized, as only records is the information stored in the parent is minimized, as only records
for secure delegations are needed. for secure delegations are needed.
The main disadvantage of this approach that verifying delegations KEY The main disadvantage of this approach that verifying delegations KEY
set requires twice as many signature verification operations. There set requires twice as many signature verification operations. There
is no impact on the number of signatures verified for other RR sets. is no impact on the number of signatures verified for other RR sets.
2.2 Protocol change 2.2 Protocol change
A DS RR set MUST appear at each secure delegation from a secure zone. Each secure delegation in a secure zone MUST contain a DS RR set. If
If a DS RR set accompanies the NS RR set, the intent is to state that a DS RR set accompanies the NS RR set, the intent is to state that the
the child zone is secured. If an NS RR set exists without a DS RR set child zone is secured. If an NS RR set exists without a DS RR set the
the intent is to state that the child zone is unsecure. intent is to state that the child zone is unsecure. DS sets MUST NOT
The public keys indicated in the DS RR set are the keys the child has appear at non delegations or at zone APEX.
informed the parent, the child allows to sign the child zone apex KEY
RR set. Barring emergency, the intent of the DS RR set it to indicate In a zone that uses DS, insecure delegations MUST have the NODS[TBD]
to state the child's zone keyset signing keys. If the child's APEX is bit set in the NXT record. This is required to differenciate this
not signed by any KEY indicated in the DS RR set than any of number of delegation from Secure RFC2535 delegation.
problems may have occurred, and are described later.
Updates RFC2535 sections 2.3.4 and 3.4, as well as RFC3008 section Updates RFC2535 sections 2.3.4 and 3.4, as well as RFC3008 section
2.7: Delegating zones MUST NOT store KEY records for delegations. The 2.7:
only records that can appear at delegation in parent are NS, SIG, NXT Delegating zones MUST NOT store KEY records for delegations. The only
and DS. records that can appear at delegation in parent are NS, SIG, NXT and
DS.
Zone MUST self sign its apex KEY set, it SHOULD sign it with a key Zone MUST self sign its apex KEY set, it SHOULD sign it with a key
that corresponds to a DS record in the parent. The KEY used to sign that corresponds to a DS record in the parent. The KEY used to sign
the apex KEY RRset MAY sign other RRsets in the zone. the apex KEY RRset MAY sign other RRsets in the zone.
If child apex KEY RRset is not signed with one of the keys specified If child apex KEY RRset is not signed with one of the keys specified
in the DS record the child is locally secure[RFC3090] and SHOULD only in the DS record the child is locally secure[RFC3090] and SHOULD only
be considered secure the resolver has been configured to trust the key be considered secure if the resolver has been configured to trust the
used. key used.
Authorative server for a zone with DS records MUST include the DS Authorative server answering a query with the OK bit[OKbit] set, MUST
records in answers for a delegation, when the OKbit[okbit] is set in include the DS records and NXT record along with signatures in answers
the query and if space is available in answer. DS records SHOULD have for a delegation and space is available. DS and NXT records SHOULD
lower priority than address records but higher priority than KEY have lower priority than address records but higher priority than KEY.
records. Caching servers SHOULD return the DS and parent NXT record(s) in the
Caching servers SHOULD return the DS record in the additional section additional section under the same condition.
under the same condition.
2.2.1 - Comments on protocol change 2.2.1 - Comments on protocol change
Over the years there has been various discussions on that the Over the years there has been various discussions on that the
delegation model in DNS is broken as there is no real good way to delegation model in DNS is broken as there is no real good way to
assert if delegation exists. In RFC2535 version of DNSSEC the assert if delegation exists. In RFC2535 version of DNSSEC the
authentication of a delegation is the NS bit in the NXT bitmap at the authentication of a delegation is the NS bit in the NXT bitmap at the
delegation point. Something more explicit is needed and the DS record delegation point. Something more explicit is needed and the DS record
addresses this for secure delegations. addresses this for secure delegations.
DS record is the first DNS record that can only appear on the upper DS record is the first DNS record that can only appear on the upper
side of a delegation. NS records appear at both sides as do SIG and side of a delegation. NS records appear at both sides as do SIG and
NXT. All other records can only appear at the lower side. This will NXT. All other records can only appear at the lower side. This will
cause some problems as servers authorative for parent may reject DS cause some problems as servers authorative for parent, reject DS
record even if the server understands unknown types, or not hand them record even if the server understands unknown types, or will not hand
out unless explicitly asked. Similarly a nameserver acting as a them out unless explicitly asked. Similarly a nameserver acting as a
authorative for child and as a caching recursive server may never authorative for child and as a caching recursive server may never
return the DS record. A caching server does not care from which side return the DS record.
DS record comes from and thus does not have to be changed if it
supports unknown types. Different TTL values on the child's NS set A caching server that supports unkown types, does not care from which
and parents DS set may cause the DS set to expire before the NS set. side DS record comes from and thus does not have to be changed.
In this case an non-DS aware server would ask the child server for the Different TTL values on the child's NS set and parents DS set can
DS set and get NXDOMAIN answer. DS aware server will know to ask a cause the DS set to expire before the NS set.
parent DNS server for the DS record.
Secure resolvers need to know about the DS record and how to interpret Secure resolvers need to know about the DS record and how to interpret
it. In the worst case, introducing the DS record, doubles the it. In the worst case, introducing the DS record, doubles the
signatures that need to be checked to validate a KEY set. signatures that need to be checked to validate a KEY set.
Note: The working group must determine if the tradeoff between more
work in resolvers is justified by the operational simplification of
this model. The author thinks this is a small price to pay to have a
cleaner delegations structure. One argument, put forward is that DNS
should be optimized for read when ever possible, and on the face of it
adding the DS record makes reading data from DNS more expensive. The
operational complexities and legal hurdles related to KEY records in
either parents or children may prevent DNSSEC deployment.
2.3 Wire format of DS record 2.3 Wire format of DS record
The DS (type=TDB) record consists of algorithm, key tag and SHA-1 The DS (type=TDB) record consists of algorithm, key tag and SHA-1
digest of the public key KEY record allowed to sign the child's digest of the public key KEY record allowed to sign the child's
delegation. delegation.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 7, line 9 skipping to change at page 6, line 33
enough to uniquely identify the key. This is similar to the PGP enough to uniquely identify the key. This is similar to the PGP
footprint. footprint.
DS record is also well suited to lists trusted keys for islands of DS record is also well suited to lists trusted keys for islands of
security in configuration files. security in configuration files.
2.4 Presentation format of DS record 2.4 Presentation format of DS record
The presentation format of DS record consists of 2 numbers followed by The presentation format of DS record consists of 2 numbers followed by
digest presented in hex. digest presented in hex.
foo.example DS 12345 3 123456789abcdef67890
2.5 Transition issues for installed base 2.5 Transition issues for installed base
RFC2535 compliant resolver will assume that all DS secured delegations RFC2535 compliant resolver will assume that all DS secured delegations
are locally secure. This is a bad thing, thus it might be necessary are locally secure. This is a bad thing, thus it might be necessary
for a transition period to support both DS and SIG@Child. The cost is for a transition period to support both DS and SIG@Child. The cost is
one more signatures in the answer and that early adopters have to use one or more signatures in the answer for KEY records and that early
cumbersome communications that DS solves. adopters have to use cumbersome communications that DS solves.
This section needs work, it needs list of all cases and find if there 2.6 Backwards compatibilty with RFC2535 SIG@child and RFC1035
are any where resolvers get confused or can not determine what the
security status of child is. This section documents how a resolver determines the type of
delegation.
RFC1035 delegation has:
RFC1035 NS
RFC2535 adds the following two cases:
Secure RFC2535: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT
Insecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
NXT bit map contains: NS SIG KEY NXT
KEY must be null-key.
DS adds the following two states:
Secure DS: NS + DS + SIG(DS) + NXT + SIG(NXT)
NXT bit map contains: NS SIG NXT DS
Insecure DS: NS + NXT + SIG(NXT)
NXT bit map contains: NS SIG KEY NXT NODS
If the NODS bit is not used, a resover can not determine if this is a
DS delegation zone. Thus is not able to determine if this delegtion is
a secure RFC2535 or a insecure DS.
2.6.1 NODS support in servers
NODS is a virtual type, servers MUST refuse to store any record of
this type. No special processing is required on answers.
3 Resolver Example 3 Resolver Example
To create a chain of trust resolver goes from trusted KEY to DS to To create a chain of trust resolver goes from trusted KEY to DS to
KEY. KEY.
Assume the key for domain "example." is trusted. In zone "example." Assume the key for domain "example." is trusted. In zone "example."
we have we have
example. KEY <stuff> example. KEY <stuff>
secure.example. DS tag=10243 alg=3 <foofoo> secure.example. DS tag=10243 alg=3 <foofoo>
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
NS ns1.secure.example. NS ns2.secure.example.
secure.example. NXT NS SIG NXT DS unsecure.example. secure.example. NXT NS SIG NXT DS unsecure.example.
secure.example. SIG(NXT) secure.example. SIG(NXT)
secure.example. SIG(DS) secure.example. SIG(DS)
unsecure.example NS ns1.unsecure.example. unsecure.example NS ns1.unsecure.example.
unsecure.example NS ns2.unsecure.example. unsecure.example NS ns2.unsecure.example.
unsecure.example. NXT NS SIG NXT .example.
unsecure.example. NXT NS SIG NXT NODS .example.
unsecure.example. SIG(NXT) unsecure.example. SIG(NXT)
In zone "secure.example." we have In zone "secure.example." we have
secure.example. SOA <soa stuff> secure.example. SOA <soa stuff>
secure.example. NS ns1.secure.example. secure.example. NS ns1.secure.example.
NS ns1.secure.example. NS ns1.secure.example.
secure.example. KEY <tag=12345 size=1024 alg=3> secure.example. KEY <tag=12345 size=1024 alg=3>
KEY <tag=54321 size=512 alg=5> KEY <tag=54321 size=512 alg=5>
KEY <tag=32145 size=1024 alg=3> KEY <tag=32145 size=1024 alg=3>
secure.example. SIG(KEY) <key-tag=12345 alg=3> secure.example. SIG(KEY) <key-tag=12345 alg=3>
skipping to change at page 9, line 11 skipping to change at page 9, line 14
DS adds processing overhead on resolvers, increases the size of DS adds processing overhead on resolvers, increases the size of
delegation answers but much less than SIG@Parent. delegation answers but much less than SIG@Parent.
4 Acknowledgments 4 Acknowledgments
Number of people have over the last few years contributed number of Number of people have over the last few years contributed number of
ideas that are captured in this document. The core idea of using one ideas that are captured in this document. The core idea of using one
key to only sign key set, comes from discussions with Bill Manning and key to only sign key set, comes from discussions with Bill Manning and
Perry Metzger on how to put in a single root key in all resolvers. Perry Metzger on how to put in a single root key in all resolvers.
Brian Wellington, Jakob Schlyter, Scott Rosen, Edward Lewis, Dan Alexis Yushin, Brian Wellington, Jakob Schlyter, Scott Rosen, Edward
Massey, Mark Kosters, Olaf Kolman, Miek Gieben, Havard Eidnes, Donald Lewis, Dan Massey, Lars-Johan Liman, Mark Kosters, Olaf Kolman, Miek
Eastlake 3rd., Randy Bush, Rob Austein, Roy Arends, and others have Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David Blacka,
provided useful comments. Rob Austein, Derek Atkins, Roy Arends, and others have provided useful
comments.
4 - Security Considerations: 4 - Security Considerations:
This document proposes a change to the validation chain of KEY records This document proposes a change to the validation chain of KEY records
in DNS. The change in is not believed to reduce security in the in DNS. The change in is not believed to reduce security in the
overall system, in RFC2535 DNSSEC child must communicate keys to overall system, in RFC2535 DNSSEC child must communicate keys to
parent and prudent parents will require some authentication on that parent and prudent parents will require some authentication on that
handshake. The modified protocol will require same authentication but handshake. The modified protocol will require same authentication but
allows the child to exert more local control over its own KEY set. allows the child to exert more local control over its own KEY set.
skipping to change at page 10, line 5 skipping to change at page 10, line 10
base of implementations, as well as text books on how to set up base of implementations, as well as text books on how to set up
secured delegations. Implementations that do not understand DS record secured delegations. Implementations that do not understand DS record
will not be able to follow the KEY to DS to KEY chain and consider all will not be able to follow the KEY to DS to KEY chain and consider all
zone secured that way insecure. zone secured that way insecure.
5 - IANA Considerations: 5 - IANA Considerations:
IANA needs to allocate RR type code for DS from the standard RR type IANA needs to allocate RR type code for DS from the standard RR type
space. space.
IANA needs to allocate RR type code for the virtual NODS record from
the standard RR type space. Note: SINK (40) was never implemented and
that type code can be reused for NODS.
References: References:
[RFC1035] P. Mockapetris, ``Domain Names - Implementation and [RFC1035] P. Mockapetris, ``Domain Names - Implementation and
Specification'', STD 13, RFC 1035, November 1987. Specification'', STD 13, RFC 1035, November 1987.
[RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC [RFC2535] D. Eastlake, ``Domain Name System Security Extensions'', RFC
2535, March 1999. 2535, March 1999.
[RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing [RFC3008] B. Wellington, ``Domain Name System Security (DNSSEC) Signing
Authority'', RFC 3008, November 2000. Authority'', RFC 3008, November 2000.
skipping to change at page 10, line 36 skipping to change at page 11, line 7
Author Address Author Address
Olafur Gudmundsson Olafur Gudmundsson
3826 Legation Street, NW 3826 Legation Street, NW
Washington, DC, 20015 Washington, DC, 20015
USA USA
<ogud@ogud.com> <ogud@ogud.com>
Appendix A: Changes from Prior versions Appendix A: Changes from Prior versions
Changes from version 02
Added text outlawing DS at non delegations.
Added table showing the contents of DS, SIG@child, and RFC1034
delegations.
Added the NODS type/bit definition to distiguish insecure DS
delegation from secure SIG@child one.
Added the requirement that NXT be returned with referal answers.
Minor text edits.
Changes from version 01 Changes from version 01
Deleted KEY size field as it did not contribute anything but Deleted KEY size field as it did not contribute anything but
complexity. complexity.
Number of wordsmith changes to make document more readable. Number of wordsmith changes to make document more readable.
The word CAN was used when SHOULD was intended. The word CAN was used when SHOULD was intended.
Deleted section 2.4 "Justifications for compact format" moved relevant Deleted section 2.4 "Justifications for compact format" moved relevant
text to section 2.2. text to section 2.2.
Reverse alphabetized the acknowledgments section. Reverse alphabetized the acknowledgments section.
Reorganized sections 1 and 2 for readability. Reorganized sections 1 and 2 for readability.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/