draft-ietf-dnsext-delegation-signer-03.txt   draft-ietf-dnsext-delegation-signer-04.txt 
DNSEXT Working Group Olafur Gudmundsson DNSEXT Working Group Olafur Gudmundsson
<draft-ietf-dnsext-delegation-signer-03.txt> <draft-ietf-dnsext-delegation-signer-04.txt>
Updates: RFC 1035, RFC 2535, RFC 3008. Updates: RFC 1035, RFC 2535, RFC 3008.
Delegation Signer record in parent. Delegation Signer record in parent.
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. provisions of Section 10 of RFC2026.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Comments should be sent to the authors or the DNSEXT WG mailing list Comments should be sent to the authors or the DNSEXT WG mailing list
namedroppers@ops.ietf.org namedroppers@ops.ietf.org
This draft expires on March 26, 2002. This draft expires on May 20, 2002.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2001). All rights reserved. Copyright (C) The Internet Society (2001). All rights reserved.
Abstract Abstract
The Delegation Signer (DS) RR set is stored in a delegating (parent) The Delegation Signer (DS) RR set is stored in a delegating (parent)
zone at each delegation point, and indicates the keys used in the zone at each delegation point, and indicates the keys used in the
delegated (child) zone. The main design goal of the DS RR simplify the delegated (child) zone. The main design goal of the DS RR simplify the
skipping to change at page 6, line 5 skipping to change at page 6, line 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (20 bytes) | | (20 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The key tag is calculated as specified in RFC2535, Algorithm MUST be The key tag is calculated as specified in RFC2535, Algorithm MUST be
an algorithm number assigned in the range 1..251. The SHA-1 digest is an algorithm number assigned in the range 1..251 and the algorithm
calculated over the canonical name of the delegation followed by the MUST be allowed to sign DNS data. The SHA-1 digest is calculated over
RDATA of the KEY record. the canonical name of the delegation followed by the RDATA of the KEY
record.
DS records MUST NOT point to a null KEY record, and the KEY records
pointed to by DS records MUST have protocol value 3 (DNSSEC).
DS records MUST NOT point to KEY records where flag field has folowing
bit settings, bit 0 (no authentication) is set, bit 6 MUST be set to 0
and bit 7 MUST be set to 1 (zone key). Settings of other bits are not
important.
The size of the DS RDATA is 23 bytes, regardless of key size. The size of the DS RDATA is 23 bytes, regardless of key size.
2.3.1 Justifications for fields 2.3.1 Justifications for fields
The algorithm and key tag fields are here to allow resolvers to The algorithm and key tag fields are here to allow resolvers to
quickly identify the candidate KEY records to examine. The key tag quickly identify the candidate KEY records to examine. The key tag
adds some greater assurance than SHA-1 digest on its own. SHA-1 is a adds some greater assurance than SHA-1 digest on its own. SHA-1 is a
strong cryptographic checksum, it is real hard for attacker to strong cryptographic checksum, it is real hard for attacker to
generate a KEY record that has the same SHA-1 digest. Combining the generate a KEY record that has the same SHA-1 digest. Combining the
name of the key and the key data as input to the digest provides name of the key and the key data as input to the digest provides
skipping to change at page 6, line 41 skipping to change at page 7, line 11
The presentation format of DS record consists of 2 numbers followed by The presentation format of DS record consists of 2 numbers followed by
digest presented in hex. digest presented in hex.
foo.example DS 12345 3 123456789abcdef67890 foo.example DS 12345 3 123456789abcdef67890
2.5 Transition issues for installed base 2.5 Transition issues for installed base
RFC2535 compliant resolver will assume that all DS secured delegations RFC2535 compliant resolver will assume that all DS secured delegations
are locally secure. This is a bad thing, thus it might be necessary are locally secure. This is a bad thing, thus it might be necessary
for a transition period to support both DS and SIG@Child. The cost is for a transition period to support both DS and SIG@Child. The cost is
one or more signatures in the answer for KEY records and that early one or more signatures in the answer for KEY records and that early
adopters have to use cumbersome communications that DS solves. adopters have to use cumbersome communications that DS solves. #.bp
2.6 Backwards compatibilty with RFC2535 SIG@child and RFC1035 2.6 Backwards compatibilty with RFC2535 SIG@child and RFC1035
This section documents how a resolver determines the type of This section documents how a resolver determines the type of
delegation. delegation.
RFC1035 delegation has: RFC1035 delegation has:
RFC1035 NS RFC1035 NS
RFC2535 adds the following two cases: RFC2535 adds the following two cases:
skipping to change at page 11, line 6 skipping to change at page 11, line 6
Author Address Author Address
Olafur Gudmundsson Olafur Gudmundsson
3826 Legation Street, NW 3826 Legation Street, NW
Washington, DC, 20015 Washington, DC, 20015
USA USA
<ogud@ogud.com> <ogud@ogud.com>
Appendix A: Changes from Prior versions Appendix A: Changes from Prior versions
Changes from version 03
Added strict rules on what KEY records can be pointed to by DS.
Changes from version 02 Changes from version 02
Added text outlawing DS at non delegations. Added text outlawing DS at non delegations.
Added table showing the contents of DS, SIG@child, and RFC1034 Added table showing the contents of DS, SIG@child, and RFC1034
delegations. delegations.
Added the NODS type/bit definition to distiguish insecure DS Added the NODS type/bit definition to distiguish insecure DS
delegation from secure SIG@child one. delegation from secure SIG@child one.
Added the requirement that NXT be returned with referal answers. Added the requirement that NXT be returned with referal answers.
Minor text edits. Minor text edits.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/