DNSEXT Working Group                                Olafur Gudmundsson
  <draft-ietf-dnsext-delegation-signer-04.txt>
  <draft-ietf-dnsext-delegation-signer-05.txt>

  Updates: RFC 1035, RFC 2535, RFC 3008. 3008, RFC 3090.

                   Delegation Signer record in parent. Resource Record

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-Drafts. Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as ``work in progress.''

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   Comments should be sent to the authors or the DNSEXT WG mailing list
   namedroppers@ops.ietf.org

   This draft expires on May 20, July 5, 2002.

   Copyright Notice

   Copyright (C) The Internet Society (2001). (2002).  All rights reserved.

Abstract

   The Delegation Signer (DS) RR set Resource Record is stored in inserted at a delegating (parent) zone at each delegation point, cut point
   to indicate tha the delegated zone is digitally signed and indicates that the keys used in
   delegation zone recognizes the indicated key as a valid zone key for
   the delegated (child) zone. The main design goal of the DS RR simplify is an modification to the
  operation of secure delegations DNS Security
   Extensions definition, motivated by eliminating the need operational considerations. The
   intent is to store use the
  same RR in parent and child, resource record as is done with an explicit statement about
   the NS RR set and delegation, rather than relying on inference.

   This document defines the KEY
  set in RFC2535.
  Secure resolvers need to take an additional step with DS to verify a
  child's KEY RR set. Operationally this schema is much simpler as
  operation RR, gives examples of how it is used and
   the two zones at delegation implications of this record on resolvers. This change is now decoupled to great
  extent. not
   backwards compatible with RFC 2535.
   This document updates RFC1035, RFC2535 RFC2535, RFC3008 and RFC3008. RFC3090.

1 - Introduction

   Familiarity with the DNS system [RFC1035], DNS security extensions
   [RFC2535] and DNSSEC terminology [RFC3090] is important.

  When

   Experience shows that when the same data can reside in two
   administratively different DNS zones, the data frequently gets out of
   sync. NS record in a zone indicates that this name is a delegation
   and the NS  record lists the authorative servers for the real zone.
   Based on actual measurements 10-30% of all delegations in the
   Internet have differing NS sets at parent and child. There are number
   of reasons for this, including lack of communication between parent
   and child and bogus name-servers being listed to meet registrar
   requirements.

   DNSSEC [RFC2535,RFC3008,RFC3090] specifies that child must have its
   KEY set signed by the parent to create a verifiable chain of KEYs.
   There is has been some debate, debate on where the signed KEY set should reside,
  parent[Parent]
   at the child[RFC2535] or child[RFC2535]. at the parent. If the KEY set resides at the
   child, maintaining the signed KEY set in the child, requires frequent
   two way communication is needed between the two parties. First the
   child needs to transmit the key set to parent and then the parent
   sends the signed set or signatures to child. If Storing the KEY set
  resides at the
   parent simplifies the communication is reduced as the child only
  sends changed key sets to parent. communication.

   DNSSEC[RFC2535] requires that the parent store NULL key set for
   unsecure children, this is intended to be a signal that the child is
   unsecure. NULL Key RRset is a waste as a whole signed RRset is used
   to effectively communicate one bit of information, child is unsecure.
   Chasing down NULL key records complicates resolution process in many
   cases as servers for both parent and child need to be queried for KEY
   set if the child server does not return a KEY set.  Storing the KEY
   record only in the parent zone simplifies this and allows would allow the
   elimination of the NULL key set. For large delegation zones the cost
   of NULL keys is significant barrier to deployment.

   Another complication of the DNSSEC KEY model is that KEY record is
   used to store DNS zone keys and public keys for other protocols.

   There are number of potential problems with this including:
     1. KEY set can become quite large if many applications/protocols
     store their keys at the zone apex. Possible protocols are IPSEC,
     HTTP, SMTP, SSH and others that use public key cryptography.
     2. Key set may require frequent updates.
     3. Probability of compromised/lost keys increases and triggers
     emergency key rollover procedures.
     4. Parent may refuse sign key sets with NON DNS zone keys.
     5. Parent may not meet the child's expectations in turnaround time
     in resigning the key set.

   Given these and other reasons there is good reason to explore
   alternatives to using only KEY records to create chain of trust.

   Some of these problems can be reduced or eliminated by operational
   rules or protocol changes. To reduce the number of keys at apex, a
   rule to require applications to store their KEY records at the SRV
   name for that application is one possibility. Another is to restrict
   KEY record to DNS keys only and create a new type for all non DNS
   keys. Third possible solution is to ban the storage of non DNS
   related keys at zone apex. There are other possible solutions but
   they are outside the scope of this document.

1.2 - Reserved words

   The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
   "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
   interpreted as described in RFC2119.

2 - DS (Delegation KEY Signer)

2.1 - Delegation Signer Record model

   This document proposes an alternative to presents replacement of the DNSSEC KEY record chain of
  trust,
   trust[RFC2535], that uses a special record new RR that can only reside at the parent.
   This record will identify the key(s) that child are allowed uses to self sign its
   own KEY set.

   The chain of trust is now established by verifying the parent KEY
   set, the DS set from the parent and the KEY set at the child. This is
   cryptographically equivalent to just using KEY records.

   Communication between the parent and child is greatly reduced, since
   the child only needs to notify parent about changes in keys that sign
   its apex KEY RRset.  Parent is ignorant of all other keys in the
   child's apex KEY RRset, and furthermore the child maintains full control
   over the apex KEY set and its content.  Child can maintain any
   policies over its DNS and other KEY usage with minimal impact on
   parent. Thus if child wants to have frequent key rollover for its DNS
   zone keys parent does not need to be aware of it as the child can use
   one key to only sign its apex KEY set and other keys to sign the
   other record sets in the zone.

   This model fits well with slow roll out of DNSSEC and islands of
   security model. In the islands of security model someone that trusts
   "good.example." can preconfigure a key from "good.example." as a
   trusted keys and from then on trusts any data that is signed by that
   key or has a chain of trust to that key.  If "example." starts
   advertising DS records, "good.example." does not have to change
   operations, by suspending self-signing. DS records can also be used
   to identify trusted keys instead of KEY records.  One further  Another significant
   advantage is the information stored in the parent is minimized, large delegation zones
   reduced, as only signed keying records for secure delegations are needed.
   needed, unlike the NULL KEY record at every unsecure delegation.

   The main disadvantage of this approach that verifying delegations KEY
   set requires twice as many two signature verification operations. operations instead of one in
   RFC 2535.  There is no impact on the number of signatures verified
   for other RR sets.

2.2 Protocol change

   All DNS servers and resolvers that support DS MUST support OK bit
   [RFC3225] and support larger message size[RFC3226].  Each secure
   delegation in a secure zone MUST contain a DS RR set.  If a query
   contains the OK bit, server returning a referral for the delegation
   MUST include the following RR sets in the authority section in this
   order:
        parent NS
        DS and SIG(DS)  (if present)
        parent NXT and SIG(NXT/parent)
   This increases the size of referral messages and may cause some or
   all glue to be omitted. If DS or NXT RR or their signatures do not
   fit inside the DNS message the TC bit must be set.  Additional
   section processing is not changed.

   If a DS RR set accompanies the NS RR set, the intent is to state this states that the child
   zone is secured. If an NS RR set exists without a DS RR set the
   intent is to state that the child zone is unsecure.  DS sets MUST NOT
   appear at non delegations or at zone APEX.

  In a zone that uses DS, insecure delegations MUST have the NODS[TBD]
  bit set in the NXT record. This is required to differenciate this
  delegation from Secure RFC2535 delegation.

  Updates

   Following section 2.2.1 replaces RFC2535 sections 2.3.4 and 3.4, as well as
   section 2.2.2 replaces RFC3008 section
  2.7:
  Delegating zones MUST NOT store KEY records for delegations. The only
  records that can appear at delegation in parent 2.7, RFC3090 updates are NS, SIG, NXT in
   section 2.2.3.

2.2.1 RFC2535 2.3.4 and
  DS.

  Zone MUST self sign its apex KEY set, it SHOULD sign it 3.4: Special considerations at delegation points

   DNS security would like to view each zone as a unit of data
   completely under the control of the zone owner with each entry
   (RRset) signed by a special private key
  that corresponds to a DS record in held by the parent. The KEY used to sign zone manager.
   But the apex KEY RRset MAY sign other RRsets DNS protocol views the leaf nodes in a zone, which are also
   the zone.

  If child apex KEY RRset is not signed with one nodes of a subzone (i.e., delegation points), as "really"
   belonging to the keys specified subzone.  These nodes occur in two master files and
   might have RRs signed by both the DS record the child is locally secure[RFC3090] upper and SHOULD only lower zone's keys. A
   retrieval could get a mixture of these RRs and SIGs, especially since
   one server could be considered secure if the resolver has been configured to trust serving both the
  key used.

  Authorative server answering zone above and below a query with the OK bit[OKbit] set,
   delegation point[RFC 2181].

   For every secure delegation there MUST
  include the be a DS records record stored in
   parent zone signed by parent zone key. Parent zone MUST NOT contain
   KEY record at delegation points. Delegations in parent MAY only
   contain following RR types NS, DS, NXT and SIG. NS RR set MUST NOT be
   signed.  The NXT record along with signatures RR type is the exceptional case that will always
   appear differently and authoritatively in answers both the super-zone and
   subzone, if both are secure.

   All secure zones MUST contain a self signed KEY RR set at apex.  Upon
   verifying the DS set from the parent, the resolver MAY trust any KEY
   identified in the DS set as a valid signer of the childs apex KEY
   set. Resolvers configured to trust one of the KEY's signing the KEY
   set MAY now treat any data signed by the zone keys in the KEY set as
   secure.  In all other cases resolvers MUST consider the zone
   insecure. DS RR MUST NOT appear at zone APEX.

2.2.2 Signers name (replaces RFC3008 section 2.7)

   The signer's name field of a data SIG MUST contain the name of the
   zone to which the data and signature belong.  The combination of
   signer's name, key tag, and algorithm MUST identify a zone key if the
   SIG is to be considered material.  This document defines a standard
   policy for DNSSEC validation; local policy may override the standard
   policy.

   There are no restrictions on the signer field of a delegation SIG(0) record.
   The combination of signer's name, key tag, and space algorithm MUST
   identify a key if this SIG(0) is to be processed.

2.2.4 changes to RFC3090

   Number of sections of RFC3090 need to be updated to reflect the DS
   record.

2.2.4.1 RFC3090: Updates to section 1: Introduction

   Most of the text is still relevant but the words ``NULL key'' are to
   be replaced with ``missing DS set''. In section 1.3 the last three
   paragraphs discuss the confusion in sections of RFC 2535, that are
   replaced in section 2.2.1 above, thus these paragraphs are now
   obsolete.

2.2.4.2 RFC3090 section 2.1: Globally Secured

   Rule 2.1.b is available. replaced by following rule:

   2.1.b. The zone's apex KEY RR set MUST be self signed by a private
   key in the KEY RR set. The private key's public companion MUST be a
   zone signing KEY RR (2.a) of a mandatory to implement algorithm and
   owned by the parent's apex. This KEY must be identified by a signed
   DS RR in the parent zone.

   If a zone cannot get a parent to advertise a DS record for it, child
   zone cannot be considered globally secured.  The only exception to
   this is the root zone, for which there is no parent zone

2.2.4.3 RFC3090 section 3: Experimental Status.

   The only difference between Experimental status and NXT records SHOULD
  have lower priority than address records but higher priority than KEY.
  Caching servers SHOULD return globally secured
   is the missing DS and parent NXT record(s) in the
  additional section under the same condition.

2.2.1 parent. All Locally Secured zones are
   Experimental.

2.3 - Comments on protocol change changes

   Over the years there has been various discussions on that the
   delegation model in DNS is broken as there is no real good way to
   assert if delegation exists. In RFC2535 version of DNSSEC the
   authentication of a delegation is the NS bit in the NXT bitmap at the
   delegation point. Something more explicit is needed and the DS record
   addresses this for secure delegations.

   DS record is a major change to DNS as it is the first DNS record that
   can only appear on the upper side of a delegation. NS records appear at both sides as do SIG and
  NXT.  All other records can only appear at the lower side. This Adding it will
   cause some interoperabilty problems as servers authorative and a flag day for parent, reject DS
  record even if the server understands unknown types, or DNSSEC. Many old
   servers and resolvers MUST be upgraded to take advantage of DS.  Some
   old servers will not hand
  them out unless explicitly asked. Similarly a nameserver acting as a be able to be authorative for child and as a caching recursive server may never
  return the DS record.

  A caching server that supports unkown types, does not care from which
  side zones with DS record comes from and thus does records
   but will not have to be changed.
  Different TTL values on add the child's NS set NXT and parents DS set can
  cause the DS set records to expire before the NS set.

  Secure resolvers need authority section.  Same
   goes for caching servers, some may even refuse to know about pass on the DS record and how to interpret
  it.  In the worst case, introducing the DS record, doubles the
  signatures that need to be checked to validate a KEY set.

2.3
   NXT records.

2.4 Wire format of DS record

   The DS (type=TDB) record consists of algorithm, key tag and SHA-1
   digest of the a public key KEY record allowed that is allowed/used to sign the
   child's delegation. Other keys MAY sign the child's apex KEY set.

                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           key tag             |  algorithm    |  Digest type  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                SHA-1 digest                                   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                (20 bytes)                                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
      |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   The key tag is calculated as specified in RFC2535, Algorithm MUST be
   an algorithm number assigned in the range 1..251 and the algorithm
   MUST be allowed to sign DNS data.  The SHA-1 digest type is an identifier
   for the digest algorithm used. The digest is calculated over the
   canonical name of the delegation followed by the whole RDATA of the
   KEY record.
  DS records MUST NOT point to a null KEY record, and

   Digest type value 0 is reserved, value 1 is SHA-1, reserving other
   types requires IETF standards action. For interoperabilty reasons as
   few digest type algorithms should be reserved, the KEY records
  pointed only reason to by DS records MUST have protocol value 3 (DNSSEC).
   reserve another digest type is to increase security.
   DS records MUST NOT point to zone KEY records where flag that are allowed to
   authenticate DNS data. Protocol MUST be set to 3.  Flag field has folowing
  bit settings, bit bits 0 (no authentication) is set, bit
   and 6 MUST be set to 0
  and 0, bit 7 MUST be set to 1 (zone key). Settings 1.  Value of other bits are
   is not important.
   The size of the DS RDATA for type 1(SHA-1) is 23 24 bytes, regardless of
   key size.

2.3.1

2.4.1 Justifications for fields

   The algorithm and key tag fields are here to allow resolvers to
   quickly identify the candidate KEY records to examine.  The key tag
   adds some greater assurance than SHA-1 digest on its own. SHA-1 is a
   strong cryptographic checksum, it is real hard for attacker to
   generate a KEY record that has the same SHA-1 digest.  Combining the
   name of the key and the key data as input to the digest provides
   stronger assurance of the binding.

   This format allows concise representation of the keys that child will
   use, thus keeping down the size of the answer for the delegation,
   reducing the probability of packet overflow. The SHA-1 hash is strong
   enough to uniquely identify the key. This is similar to the PGP
   footprint. The digest type field is there for possible future
   expansion.

   DS record is also well suited to lists trusted keys for islands of
   security in configuration files.

2.4

2.5 Presentation format of DS record

   The presentation format of DS record consists of 2 numbers followed
   by digest presented in hex.
       foo.example       DS      12345 3 1 123456789abcdef67890

2.5

2.6 Transition issues for installed base

   RFC2535 compliant resolver will assume that all DS secured
   delegations are locally secure. This is a bad thing, thus it might be necessary
  for a transition period but the DNSEXT
   working group has determined that rather than having to support have to deal
   with both DS RFC2535 secured zone and SIG@Child. The cost DS secured zone, a rapid adaption
   of DS is
  one or more signatures in preferable.  Thus the answer only option for KEY records and that early adopters have is to
   upgrade to use cumbersome communications that DS solves.  #.bp

2.6 as soon as possible.

2.6.1 Backwards compatibilty compatibility with RFC2535 SIG@child and RFC1035

   This section documents how a resolver determines the type of
   delegation.
   RFC1035 delegation has:

   RFC1035           NS

   RFC2535 adds the following two cases:

   Secure RFC2535:   NS + NXT + SIG(NXT)
                     NXT bit map contains: NS SIG NXT
   Insecure RFC2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
                     NXT bit map contains: NS SIG KEY NXT
                     KEY must be null-key.

   DS adds has the following two states:

   Secure DS:        NS + DS + SIG(DS) + NXT + SIG(NXT)
                     NXT bit map contains: NS SIG NXT DS
   Insecure DS:      NS + NXT + SIG(NXT)
                     NXT bit map contains: NS SIG KEY NXT NODS

  If the NODS bit
   It is not used, hard for a resover can not resolver to determine if this is a
  DS delegation zone. Thus is not able to determine if this delegtion is
  a secure RFC2535 Secure 2535
   or a insecure Insecure DS.

2.6.1 NODS support in servers

  NODS is This can be overcome by adding a virtual type, servers MUST refuse flag to store any record the NXT bit
   map but only upgraded resolvers will understand this flag. Having
   both parent and child signatures on the keyset may allow old
   resolvers to accept zone as secure, but the cost of doing this type. No special processing for a
   long time is required on answers. much higher than just outlaw Sig@Child and force rapid
   deployment of DS enabled servers and resolvers.

   RFC 2535 and DS can in theory be deployed in parallel, but this will
   require resolvers to deal with RFC 2535 configurations forever.  This
   document obsoletes NULL KEY in parent zones, that is difficult enough
   change that flag day is required.

3 Resolver Example

   To create a chain of trust resolver goes from trusted KEY to DS to
   KEY.

   Assume the key for domain "example." is trusted.  In zone  Zone "example."
  we have
   contains at least the following records:
   example.    SOA     <soa stuff>
   example.    NS   ns.example.
   example.          KEY     <stuff>
   example.    NXT       NS SOA KEY SIG NXT
   example.    SIG(SOA)
   example.    SIG(NS)
   example.    SIG(NXT)
   example.          KEY     <stuff>    SIG(KEY)
   secure.example.   NS      ns1.secure.example.
   secure.example.   DS      tag=10243 alg=3 <foofoo>
   secure.example.   NS      ns1.secure.example.
                    NS      ns2.secure.example.
  secure.example.   NXT     NS SIG NXT DS unsecure.example.
   secure.example.   SIG(NXT)
   secure.example.   SIG(DS)
   unsecure.example  NS      ns1.unsecure.example.
  unsecure.example  NS      ns2.unsecure.example.
   unsecure.example. NXT     NS SIG NXT NODS .example.
   unsecure.example. SIG(NXT)

   In zone "secure.example." we have following records exist:
   secure.example. SOA      <soa stuff>
   secure.example. NS       ns1.secure.example.
                  NS       ns1.secure.example.
   secure.example. KEY      <tag=12345 size=1024 alg=3>
                  KEY      <tag=54321 size=512 alg=5>
                  KEY      <tag=32145 size=1024 alg=3>
   secure.example. SIG(KEY) <key-tag=12345 alg=3>
   secure.example. SIG(SOA) <key-tag=54321 alg=5> <key-tag=12345 alg=3>
   secure.example. SIG(NS)  <key-tag=54321  <key-tag=12345 alg=5>

   In this example the trusted key for "example." signs the DS record
   for "secure.example.", making that a trusted record. The DS record
   states what key is expected to sign the KEY RRset at
   "secure.example".  Here "secure.example." has three different signs its KEY records and set with the
   KEY identified in the DS record signs the KEY set, thus the KEY set is validated and
   trusted.  Note that one of the other keys in the keyset
  actually signs the zone data, and resolvers will trust the signatures
  as the key appears in the KEY set.

   This example has only one DS record for the child but there no reason
  to outlaw child, parents MUST allow
   multiple DS records. More than one DS record is needed
  during signing records to facilitate key rollover.  It is strongly
   recommended that the DS set be kept small. small, 2 or 3 records SHOULD be
   sufficient in all cases.

   Resolver determines the security status of "unsecure.example." by
   examining the parent size NXT for this name.

3.1 Resolver cost estimates for DS records

   From a RFC2535 resolver point of view for each delegation followed to
   chase down an answer one KEY record has to be verified and possibly
   some other records based on policy, for example the contents of the
   NS set. Once the resolver gets to the appropriate delegation
   validating the answer may require verifying one or more signatures.
   A simple A record lookup requires at least N delegations to be
   verified and 1 RRset. For a DS enabled resolver the cost is 2N+1.
   For MX record the cost where the target of the MX record is in the
   same zone as the MX record the costs are N+2 and 2N+2. In the case of negative answer the
  same ratios hold true.

  Resolver may require an extra query to get the DS record and this may
  add to the overall cost of the query, but this is never worse than
  chasing down NULL KEY records from the parent in RFC2535 DNSSEC.

  DS adds processing overhead on resolvers, increases the size of
  delegation answers but much less than SIG@Parent.

4 Acknowledgments

  Number of people have over the last few years contributed number of
  ideas that are captured in this document. The core idea of using one
  key to only sign key set, comes from discussions with Bill Manning and
  Perry Metzger on how to put in a single root key in all resolvers.
  Alexis Yushin, Brian Wellington, Jakob Schlyter, Scott Rosen, Edward
  Lewis, Dan Massey, Lars-Johan Liman, Mark Kosters, Olaf Kolman, Miek
  Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David Blacka,
  Rob Austein, Derek Atkins, Roy Arends, costs are N+2 and others have provided useful
  comments. 2N+2. In the case of
   negative answer the same ratios hold true.

   Resolver may require an extra query to get the DS record and this may
   add to the overall cost of the query, but this is never worse than
   chasing down NULL KEY records from the parent in RFC2535 DNSSEC.

   DS adds processing overhead on resolvers, increases the size of
   delegation answers but much less than SIG@Parent.

4 - Security Considerations:

   This document proposes a change to the validation chain of KEY
   records in DNS. The change in is not believed to reduce security in
   the overall system, in RFC2535 DNSSEC child must communicate keys to
   parent and prudent parents will require some authentication on that
   handshake. The modified protocol will require same authentication but
   allows the child to exert more local control over its own KEY set.

   There is a possibility that an attacker can generate an valid KEY
   that matches all the DS fields thus starting to forge data from the
   child. This is considered impractical as on average more than 2^80
   keys must be generated before one is found that will match.

   DS record is a change to DNSSEC protocol and there is some installed
   base of implementations, as well as text books on how to set up
   secured delegations. Implementations that do not understand DS record
   will not be able to follow the KEY to DS to KEY chain and consider
   all zone secured that way insecure.

5 - IANA Considerations:

   IANA needs to allocate RR type code for DS from the standard RR type
   space.

   IANA needs to allocate RR open a new registry for the DS type code for Digest
   algorithms, Defined types are, 0 is Reserved,  1 is SHA-1. Adding new
   reservations requires IETF standards action.

4 Acknowledgments

   Number of people have over the virtual NODS record last few years contributed number of
   ideas that are captured in this document. The core idea of using one
   key to only sign key set, comes from
  the standard RR type space. Note: SINK (40) was never implemented discussions with Bill Manning
   and
  that type code can be reused for NODS. Perry Metzger on how to put in a single root key in all
   resolvers.
   Alexis Yushin, Brian Wellington, Paul Vixie, Jakob Schlyter, Scott
   Rosen, Edward Lewis, Dan Massey, Lars-Johan Liman, Mark Kosters, Olaf
   Kolman, Phillip Hallam-Baker, Miek Gieben, Havard Eidnes, Donald
   Eastlake 3rd., Randy Bush, David Blacka, Steve Bellovin, Rob Austein,
   Derek Atkins, Roy Arends, Harald Alvestrand, and others have provided
   useful comments.

References:

[RFC1035]  P. Mockapetris, ``Domain Names - Implementation and
           Specification'', STD 13, RFC 1035, November 1987.

[RFC2181]  R. Elz, R. Bush, ``Clarifications to the DNS Specification'',
           RFC 2181, July 1997.

[RFC2535]  D. Eastlake, ``Domain Name System Security Extensions'', RFC
           2535, March 1999.

[RFC3008]  B. Wellington, ``Domain Name System Security (DNSSEC) Signing
           Authority'', RFC 3008, November 2000.

[RFC3090]  E. Lewis `` DNS Security Extension Clarification on Zone
           Status'', RFC 3090, March 2001.

[OKbit]

[RFC3225]  D. Conrad, ``Indicating Resolver Support of DNSSEC'', work in
           progress <draft-ietf-dnsext-dnssec-okbit-02.txt>, April RFC
           3225, December 2001.

[Parent]   R. Gieben, T. Lindgreen, ``Parent stores the child's zone
           KEYs'', work in progress <draft-ietf-dnsext-parent-stores-
           zones-keys-01.txt>, May

[RFC3226]  O. Gudmundsson, ``DNSSEC and IPv6 A6 aware server/resolver
           message size requirements'', RFC 3226, December 2001.

Author Address

      Olafur Gudmundsson
      3826 Legation Street, NW
      Washington, DC,  20015
      USA
      <ogud@ogud.com>

Appendix A: Changes from Prior versions

Changes from version 04
   Reworded document to obsolete RFC2535 chain of trust, no backwards
   compatibility.  Require DS and NXT records in referrals in authority
   section.  Removed the NODS bit.
   Added the requirement for OK bit and Message size.
   Rewrote Abstract to better express what is in the document.
   Removed size field from examples and simplified them.

Changes from version 03
   Added strict rules on what KEY records can be pointed to by DS.

Changes from version 02
   Added text outlawing DS at non delegations.
   Added table showing the contents of DS, SIG@child, and RFC1034
   delegations.
   Added the NODS type/bit definition to distiguish distinguish insecure DS
   delegation from secure SIG@child one.
   Added the requirement that NXT be returned with referal referral answers.
   Minor text edits.

Changes from version 01
   Deleted KEY size field as it did not contribute anything but
   complexity.
   Number of wordsmith changes to make document more readable.
   The word CAN was used when SHOULD was intended.
   Deleted section 2.4 "Justifications for compact format" moved
   relevant text to section 2.2.
   Reverse alphabetized the acknowledgments section.
   Reorganized sections 1 and 2 for readability.

Changes from version 00
   Changed name from DK to DS based on working group comments.
   Dropped verbose format based on WG comments.
   Added text about TTL issue/problem in caching servers.
   Added text about islands of security and clarified the cost impact.
   Major editing of arguments and some reordering of text for clarity.
   Added section on transition issues.

Full Copyright Statement

   Copyright (C) The Internet Society (2001). (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."