| draft-ietf-dnsext-dnssec-algo-signal-04.txt | draft-ietf-dnsext-dnssec-algo-signal-05.txt | |||
|---|---|---|---|---|
| DNS Extensions Working Group S. Crocker | DNS Extensions Working Group S. Crocker | |||
| Internet-Draft Shinkuro Inc. | Internet-Draft Shinkuro Inc. | |||
| Intended status: Standards Track S. Rose | Intended status: Standards Track S. Rose | |||
| Expires: September 7, 2012 NIST | Expires: September 27, 2012 NIST | |||
| March 6, 2012 | March 26, 2012 | |||
| Signaling Cryptographic Algorithm Understanding in DNSSEC | Signaling Cryptographic Algorithm Understanding in DNSSEC | |||
| draft-ietf-dnsext-dnssec-algo-signal-04 | draft-ietf-dnsext-dnssec-algo-signal-05 | |||
| Abstract | Abstract | |||
| The DNS Security Extensions (DNSSEC) were developed to provide origin | The DNS Security Extensions (DNSSEC) were developed to provide origin | |||
| authentication and integrity protection for DNS data by using digital | authentication and integrity protection for DNS data by using digital | |||
| signatures. These digital signatures can be generated using | signatures. These digital signatures can be generated using | |||
| different algorithms. This draft sets out to specify a way for | different algorithms. This draft sets out to specify a way for | |||
| validating end-system resolvers to signal to a server which | validating end-system resolvers to signal to a server which | |||
| cryptographic algorithms and hash algorithms they support. | cryptographic algorithms and hash algorithms they support. | |||
| skipping to change at page 1, line 42 | skipping to change at page 1, line 42 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 7, 2012. | This Internet-Draft will expire on September 27, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 6, line 47 | skipping to change at page 6, line 47 | |||
| processing on the server side. | processing on the server side. | |||
| If the options are present but the DNSSEC-OK (OK) bit is not set, the | If the options are present but the DNSSEC-OK (OK) bit is not set, the | |||
| server does not do any DNSSEC processing, including any recording of | server does not do any DNSSEC processing, including any recording of | |||
| the option(s). | the option(s). | |||
| 6. Traffic Analysis Considerations | 6. Traffic Analysis Considerations | |||
| Zone administrators that are planning or are in the process of a | Zone administrators that are planning or are in the process of a | |||
| cryptographic algorithm rollover operation should monitor DNS query | cryptographic algorithm rollover operation should monitor DNS query | |||
| traffic and record the values of the DAU/DHU/N3U option(s) in | traffic and record the number of queries, the presense of the OPT RR | |||
| queries. This monitoring can measure the deployment of client code | in queries and the values of the DAU/DHU/N3U option(s) (if present). | |||
| that implements (and signals) certain algorithms. Exactly how to | This monitoring can be used to measure the deployment of client code | |||
| that implements (and signals) certain algorithms. The Exactly how to | ||||
| capture DNS traffic and measure new algorithm adoption is beyond the | capture DNS traffic and measure new algorithm adoption is beyond the | |||
| scope of this document. | scope of this document. | |||
| Zone administrators can use this data to set plans for starting an | Zone administrators that need to comply with changes to their | |||
| algorithm rollover and determine when older algorithms can be phased | organization's security policy (with regards to cryptographic | |||
| out without disrupting a significant number of clients. In order to | algorithm use) can use this data to set milestone dates for | |||
| keep this disruption to a minimum, zone administrators should wait to | performing an algorithm rollover. For example, zone administrators | |||
| can use the data to determine when older algorithms can be phased out | ||||
| without disrupting a significant number of clients. In order to keep | ||||
| this disruption to a minimum, zone administrators should wait to | ||||
| complete an algorithm rollover until a large majority of clients | complete an algorithm rollover until a large majority of clients | |||
| signal that they understand the new algorithm. This may be in the | signal that they understand the new algorithm. This may be in the | |||
| order of years rather than months. Note that clients that do not | order of years rather than months. Note that clients that do not | |||
| implement these options are likely to be older implementations which | implement these options are likely to be older implementations which | |||
| would also not implement any newly deployed algorithm. | would also not implement any newly deployed algorithm. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| The algorithm codes used to identify DNSSEC algorithms, DS RR hash | The algorithm codes used to identify DNSSEC algorithms, DS RR hash | |||
| algorithms and NSEC3 hash algorithms have already been established by | algorithms and NSEC3 hash algorithms have already been established by | |||
| End of changes. 5 change blocks. | ||||
| 11 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||